GHSA-4MPH-V827-F877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...