Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package locutus, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2020-7719 — CVSS 9.8 (critical): Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
CVE-2026-32304 — CVSS 9.8 (critical): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args…
CVE-2026-33993 — CVSS 9.8 (critical): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()`…
CVE-2026-33994 — CVSS 9.8 (critical): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to…
CVE-2026-25521 — CVSS 8.8 (high): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a…
CVE-2026-29091 — CVSS 8.1 (high): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code…
CVE-2021-23392 — CVSS 5.3 (medium): The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.