CVE-2026-29091

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.0

Description Locutus, a library designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a remote code execution (RCE) flaw. This issue resides within the implementation of the call user func array function and its wrapper call user func. The root cause is the function's failure to properly validate all components of a callback array before passing them to eval(). Specifically, the code applies a regular expression check to the first element of the callback array but not to the second, allowing an attacker to inject arbitrary JavaScript code through the second element. This injected code is then executed with the full privileges of the Node.js process. The vulnerability is located in the call user func array function within the src/php/funchand/call user func array.js file. An attacker can exploit this flaw by crafting a malicious payload in the cb[1] parameter, bypassing the intended security controls of the library. The vulnerability is not a "drive-by" issue but requires the application to serve as a gateway or router using Locutus functions. The vulnerable code uses eval() to construct and execute a function call, which is inherently risky.

Recommendations Update to Locutus version 3.0.0 or later.