Can you explain this vulnerability to me?

CVE-2026-29091 is a Remote Code Execution (RCE) vulnerability in the locutus JavaScript library, specifically in the call_user_func_array function implementation prior to version 3.0.0.

The vulnerability arises because the function accepts a callback array where only the first element is properly validated, but the second element (the method name) is not validated before being used inside an eval statement.

This allows an attacker to inject arbitrary JavaScript code by crafting a malicious method name that escapes the property access context, enabling execution of arbitrary commands with the full privileges of the Node.js process.

The issue stems from improper input sanitization and unsafe use of eval in the callback handling, which has been patched in version 3.0.0.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows remote attackers to execute arbitrary JavaScript code within the Node.js runtime environment where the vulnerable locutus library is used.

Exploitation requires passing untrusted array callbacks to the call_user_func_array function, which is common in JSON-RPC setups or PHP-to-JavaScript porting layers.

Successful exploitation can lead to full compromise of the application, including unauthorized command execution, data theft, or service disruption.

The vulnerability has a high severity rating with a CVSS v3 score of 8.1, indicating significant impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

The vulnerability exists in the call_user_func_array function implementation of the locutus library prior to version 3.0.0, where arbitrary JavaScript code can be injected via the second element of a callback array. Detection involves identifying usage of vulnerable locutus versions and monitoring for suspicious calls to call_user_func_array with untrusted callback arrays.

Since the vulnerability is triggered by passing untrusted array callbacks to call_user_func_array, especially in JSON-RPC or PHP-to-JavaScript porting layers, detection can focus on logging or tracing such calls.

Suggested commands or approaches include:

• Search your codebase or dependencies for locutus versions prior to 3.0.0.
• Audit usage of call_user_func_array calls, especially those passing arrays as callbacks.
• Add runtime instrumentation or logging around call_user_func_array to capture callback parameters.
• Use static code analysis tools to detect eval usage or unsafe callback handling in locutus or your application.
• Monitor network traffic for JSON-RPC or similar requests that might pass malicious callback arrays.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade the locutus library to version 3.0.0 or later, where the vulnerability has been patched by properly validating both elements of the callback array and removing unsafe eval usage.

If upgrading immediately is not possible, consider the following steps:

• Avoid passing untrusted or user-controlled arrays as callbacks to call_user_func_array.
• Implement input validation to ensure both elements of the callback array conform to safe JavaScript function naming patterns.
• Refactor code to avoid using eval or dynamic function invocation patterns that rely on unvalidated input.
• Apply runtime monitoring to detect suspicious or unexpected callback invocations.

Useful 0 Not Useful 0