CVE-2026-29091
HIGH
GHSA-fp25-p6mj-qqg6
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Analysis
Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and dependencies using Locutus library and isolate affected systems from production traffic where possible. Within 7 days: Implement network-based compensating controls (WAF rules, input validation), disable call_user_func_array functionality if not critical, and establish enhanced monitoring for suspicious code execution patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today