{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33994", "tracking": { "current_release_date": "2026-04-01T14:48:01.537840Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33994", "initial_release_date": "2026-03-27T20:28:35.996601Z", "revision_history": [ { "date": "2026-03-27T20:28:35.996601Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)." }, { "date": "2026-03-27T20:28:40.025875Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-28T07:40:29.736440Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-28T07:40:41.164042Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-28T07:40:43.361407Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:42:56.327893Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:25.688497Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-30T12:32:58.994228Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (7).| Product Identifiers created (1).| References created (6).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-30T20:47:10.178658Z", "number": "9", "summary": "References created (1)." }, { "date": "2026-04-01T13:25:02.802593Z", "number": "10", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-01T13:25:05.297209Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-04-01T14:39:45.460191Z", "number": "12", "summary": "CVSS created.| Unknown change." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/5", "product": { "name": "vers:rpm/5", "product_id": "CSAFPID-1459353", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5" } } } ], "category": "product_name", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5187689" } } ], "category": "product_name", "name": "elasticsearch-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914696" } } ], "category": "product_name", "name": "elasticsearch-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914697" } } ], "category": "product_name", "name": "elasticsearch-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855724" } } ], "category": "product_name", "name": "elasticsearch6-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459355" } } ], "category": "product_name", "name": "kibana6-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855725" } } ], "category": "product_name", "name": "logging-curator5-rhel9" } ], "category": "product_family", "name": "Logging Subsystem for Red Hat OpenShift" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=2.0.39|<3.0.25", "product": { "name": "vers:unknown/>=2.0.39|<3.0.25", "product_id": "CSAFPID-5973146", "product_identification_helper": { "cpe": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*" } } } ], "category": "product_name", "name": "locutus" } ], "category": "vendor", "name": "locutus" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=2.0.39|<3.0.25", "product": { "name": "vers:unknown/>=2.0.39|<3.0.25", "product_id": "CSAFPID-5956306" } } ], "category": "product_name", "name": "locutus" } ], "category": "vendor", "name": "locutusjs" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33994", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" }, "notes": [ { "category": "description", "text": "## Summary\n\nA prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard.\n\nThis vulnerability stems from an incomplete fix for [CVE-2026-25521](https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh). The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another.\n\n## Package\n\nlocutus (npm)\n\n## Affected versions\n\n>= 2.0.39, <= 3.0.24\n\nTested and confirmed vulnerable on **2.0.39** and **3.0.24** (latest). Version 2.0.38 (pre-fix) uses a different guard (`String.prototype.includes`) and is not affected by this specific bypass.\n\n---\n\n## Description\n\n### Details\n\nThe vulnerability resides in `parse_str.js` where the `RegExp.prototype.test()` function is used to check whether user-provided input contains forbidden keys:\n\n```javascript\nif (/__proto__|constructor|prototype/.test(key)) {\n break\n}\n```\n\nThe previous guard (fixed in CVE-2026-25521) used `String.prototype.includes()`:\n\n```javascript\nif (key.includes('__proto__')) {\n break\n}\n```\n\nThe CVE-2026-25521 fix correctly identified that `String.prototype.includes` can be hijacked. However, the replacement guard using `RegExp.prototype.test()` suffers from the same class of weakness — `RegExp.prototype.test` is a writable method on the prototype chain and can be overridden to always return `false`, completely disabling the guard.\n\nThe robust fix is to use direct string comparison operators (`===`) in native control flow (`for`/`if`) instead of prototype methods like `RegExp.prototype.test()`, since `===` is a language-level operator that cannot be overridden.\n\n### PoC\n\n#### Steps to reproduce\n\n1. Install locutus using `npm install locutus`\n2. Run the following code snippet:\n\n```javascript\nconst parse_str = require('locutus/php/strings/parse_str');\n\n// Hijack RegExp.prototype.test (simulates a prior prototype pollution gadget)\nconst original = RegExp.prototype.test;\nRegExp.prototype.test = function () { return false; };\n\n// Payload\nconst result = {};\nparse_str('__proto__[polluted]=yes', result);\n\n// Check\nRegExp.prototype.test = original;\nconsole.log(({}).polluted); // 'yes' — prototype is polluted\n```\n\n#### Expected behavior\n\nPrototype pollution should be prevented and `({}).polluted` should print `undefined`.\n\n```\nundefined\n```\n\n#### Actual behavior\n\n`Object.prototype` is polluted. This is printed on the console:\n\n```\nyes\n```\n\n### Impact\n\nThis is a prototype pollution vulnerability with the same impact as CVE-2026-25521. The attack requires a chaining scenario — an attacker needs a separate prototype pollution gadget (e.g., from another npm package in the same application) to override `RegExp.prototype.test` before exploiting `parse_str`. This is realistic in Node.js applications that use multiple npm packages, where one package's vulnerability can disable another package's defenses.\n\nAny application that processes attacker-controlled input using `locutus/php/strings/parse_str` may be affected. It could potentially lead to:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like `eval` or `child_process`)\n\n### Resources\n\n- Original advisory: https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh\n- Fix commit (incomplete): https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c\n- Vulnerable file: https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js#L77\n\n## Maintainer response\n\nThank you for the follow-up report. This issue was reproduced locally against `locutus@3.0.24`, confirming that the earlier `parse_str` guard was incomplete: if `RegExp.prototype.test` was already compromised, the guard could be bypassed and `parse_str('__proto__[polluted]=yes', result)` could still pollute `Object.prototype`.\n\nThis is now fixed on `main` and released in `locutus@3.0.25`.\n\n## Fix Shipped In\n\n- **PR:** [locutusjs/locutus#597](https://github.com/locutusjs/locutus/pull/597)\n- **Merge commit on `main`:** `345a6211e1e6f939f96a7090bfeff642c9fcf9e4`\n- **Release:** [v3.0.25](https://github.com/locutusjs/locutus/releases/tag/v3.0.25)\n\n## What the Fix Does\n\nThe new fix no longer relies on a regex-prototype guard for safety. Instead, `src/php/strings/parse_str.ts` now rejects dangerous key paths during parsed-segment assignment, so the sink itself is hardened even if `RegExp.prototype.test` has been tampered with beforehand.\n\n## Tested Repro Before the Fix\n\n- Override `RegExp.prototype.test` to always return `false`\n- Call `parse_str('__proto__[polluted]=yes', result)`\n- Observe `({}).polluted === 'yes'`\n\n## Tested State After the Fix in `3.0.25`\n\n- Dangerous key paths are skipped during assignment\n- The same chained repro no longer pollutes `Object.prototype`\n- The regression is covered by `test/custom/parse_str-prototype-pollution.vitest.ts`\n\n---\n\nThe locutus team is treating this as a real package vulnerability with patched version `3.0.25`. The vulnerable range should end at `< 3.0.25`.", "title": "github - https://api.github.com/advisories/GHSA-vc8f-x9pp-wf5p" }, { "category": "description", "text": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33994.json" }, { "category": "description", "text": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33994" }, { "category": "description", "text": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.\nA flaw was found in the `locutus` npm package. A prototype pollution vulnerability exists in the `parse_str` function. A remote attacker can exploit this by crafting a malicious query string and overriding `RegExp.prototype.test`, leading to the pollution of `Object.prototype`. This bypasses existing security guards and can result in unexpected behavior or further attacks within the JavaScript application.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33994.json" }, { "category": "other", "text": "0.00046", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "6.3", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')), There is exploit data available from source Nvd, Exploit code publicly available", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 2\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5956306", "CSAFPID-5973146" ], "known_not_affected": [ "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-vc8f-x9pp-wf5p" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33994.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33994" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33994.json" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/locutusjs/locutus/pull/597" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-vc8f-x9pp-wf5p" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33994" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33994" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-5956306", "CSAFPID-5973146" ] } ], "title": "CVE-2026-33994" } ] }