Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Published: 2026-03-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The bug lies in the implementation of call_user_func_array (and its alias call_user_func), which naively forwards parts of a callback array to eval() after failing to validate them fully. This omission permits an attacker to provide crafted JavaScript code that is executed with the privileges of the running application, leading to remote code execution. The weakness is categorized as CWE-94 (Code Injection) and CWE-95 (Eval Injection).

Affected Systems

The issue affects the open‑source library locutus, which exposes standard libraries of other languages to JavaScript. Versions older than 3.0.0 contain the vulnerable implementation. The library is typically used in Node.js environments, but can also be embedded in browser contexts. Any deployment of locutus prior to 3.0.0, regardless of installed Node.js version, is at risk.

Risk and Exploitability

CVSS core score of 8.1 indicates a high‑severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently unlikely to be widespread, and the flaw is not listed in the CISA KEV catalog. Nonetheless, because the bug allows arbitrary code execution, defenders should treat it as a high risk threat vector. An attacker could exploit the flaw remotely by injecting malicious payloads into a callback array that the application passes to call_user_func_array, which is then evaluated.

Generated by OpenCVE AI on April 16, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the locutus library to version 3.0.0 or later, which removes the vulnerable call_user_func_array implementation.
  • Audit any dependent code to ensure that no unvalidated or untrusted data is passed to eval-like functions provided by locutus or other libraries.
  • Replace the vulnerable functions with safe alternatives that perform strict validation, ensuring callback components are only function references from your codebase.
  • Monitor application logs for unexpected eval activity and apply runtime monitoring to detect unauthorized code execution attempts.

Generated by OpenCVE AI on April 16, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fp25-p6mj-qqg6 locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection
History

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Locutus
Locutus locutus
Vendors & Products Locutus
Locutus locutus

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Title Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Locutus Locutus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:34:27.477Z

Reserved: 2026-03-03T21:54:06.707Z

Link: CVE-2026-29091

cve-icon Vulnrichment

Updated: 2026-03-06T18:34:17.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T18:16:20.257

Modified: 2026-03-13T19:07:16.483

Link: CVE-2026-29091

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T17:48:10Z

Links: CVE-2026-29091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses