CVE-2026-25521: locutus is vulnerable to Prototype Pollution

February 2, 2026 (updated February 3, 2026)

A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.

References

github.com/advisories/GHSA-rxrv-835q-v5mh
github.com/locutusjs/locutus
github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c
github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh
nvd.nist.gov/vuln/detail/CVE-2026-25521

Code Behaviors & Features

Detect and mitigate CVE-2026-25521 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →