CVE-2026-33994

CVE-2026-33994 is a prototype pollution vulnerability in the `parse_str` function of the Locutus npm package, which ports standard libraries from other programming languages to JavaScript for educational purposes. The issue affects versions starting from 2.0.39 and prior to 3.0.25. It arises from an incomplete fix for the prior CVE-2026-25521, where a guard against prototype pollution was switched from `String.prototype.includes()` to `RegExp.prototype.test()`. However, `RegExp.prototype.test` is a writable prototype method that can itself be overridden, allowing bypass of the new guard. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

An attacker can exploit this by first overriding `RegExp.prototype.test` and then supplying a crafted query string to the `parse_str` function, enabling pollution of `Object.prototype`. Exploitation requires no privileges or user interaction and can occur remotely over a network with low complexity. Successful pollution of `Object.prototype` can lead to high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution or other severe consequences in applications that process untrusted input through Locutus.

The GitHub security advisory (GHSA-vc8f-x9pp-wf5p) and related commit (345a6211e1e6f939f96a7090bfeff642c9fcf9e4), pull request (#597), and release notes for v3.0.25 detail the updated fix in version 3.0.25, which addresses the bypass by implementing a more robust prototype pollution guard. Security practitioners should upgrade to Locutus 3.0.25 or later and audit usage of `parse_str` with untrusted inputs.