GHSA-rxrv-835q-v5mh: locutus is vulnerable to Prototype Pollution

February 2, 2026

A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.

References

github.com/advisories/GHSA-rxrv-835q-v5mh
github.com/locutusjs/locutus
github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c
github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh

Code Behaviors & Features

Detect and mitigate GHSA-rxrv-835q-v5mh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →