CVE-2026-29091
Received Received - Intake
Remote Code Execution in Locutus call_user_func_array Function

Publication date: 2026-03-06

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29091
EUVD
EUVD-2026-10051
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locutus locutus to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29091 is a Remote Code Execution (RCE) vulnerability in the locutus JavaScript library, specifically in the call_user_func_array function implementation prior to version 3.0.0.

The vulnerability arises because the function accepts a callback array where only the first element is properly validated, but the second element (the method name) is not validated before being used inside an eval statement.

This allows an attacker to inject arbitrary JavaScript code by crafting a malicious method name that escapes the property access context, enabling execution of arbitrary commands with the full privileges of the Node.js process.

The issue stems from improper input sanitization and unsafe use of eval in the callback handling, which has been patched in version 3.0.0.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary JavaScript code within the Node.js runtime environment where the vulnerable locutus library is used.

Exploitation requires passing untrusted array callbacks to the call_user_func_array function, which is common in JSON-RPC setups or PHP-to-JavaScript porting layers.

Successful exploitation can lead to full compromise of the application, including unauthorized command execution, data theft, or service disruption.

The vulnerability has a high severity rating with a CVSS v3 score of 8.1, indicating significant impact on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

The vulnerability exists in the call_user_func_array function implementation of the locutus library prior to version 3.0.0, where arbitrary JavaScript code can be injected via the second element of a callback array. Detection involves identifying usage of vulnerable locutus versions and monitoring for suspicious calls to call_user_func_array with untrusted callback arrays.

Since the vulnerability is triggered by passing untrusted array callbacks to call_user_func_array, especially in JSON-RPC or PHP-to-JavaScript porting layers, detection can focus on logging or tracing such calls.

Suggested commands or approaches include:

  • Search your codebase or dependencies for locutus versions prior to 3.0.0.
  • Audit usage of call_user_func_array calls, especially those passing arrays as callbacks.
  • Add runtime instrumentation or logging around call_user_func_array to capture callback parameters.
  • Use static code analysis tools to detect eval usage or unsafe callback handling in locutus or your application.
  • Monitor network traffic for JSON-RPC or similar requests that might pass malicious callback arrays.
Mitigation Strategies

The primary mitigation is to upgrade the locutus library to version 3.0.0 or later, where the vulnerability has been patched by properly validating both elements of the callback array and removing unsafe eval usage.

If upgrading immediately is not possible, consider the following steps:

  • Avoid passing untrusted or user-controlled arrays as callbacks to call_user_func_array.
  • Implement input validation to ensure both elements of the callback array conform to safe JavaScript function naming patterns.
  • Refactor code to avoid using eval or dynamic function invocation patterns that rely on unvalidated input.
  • Apply runtime monitoring to detect suspicious or unexpected callback invocations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart