CVE-2026-29091 Overview
A remote code execution (RCE) vulnerability has been discovered in the Locutus project, a JavaScript library that brings standard library functions from other programming languages to JavaScript for educational purposes. The vulnerability exists within the call_user_func_array function implementation, which fails to properly validate callback array components before passing them to eval(). This allows attackers to inject arbitrary JavaScript code into the application's runtime environment.
Critical Impact
Attackers can achieve remote code execution by exploiting insecure input validation in the call_user_func_array function, potentially leading to full system compromise in affected applications.
Affected Products
- Locutus versions prior to 3.0.0
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29091 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29091
Vulnerability Analysis
This vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as "Eval Injection"). The flaw originates from the call_user_func_array function and its wrapper call_user_func, which are designed to emulate PHP's callback functionality in JavaScript.
The insecure implementation accepts user-controlled input as part of a callback array structure. Before invoking the callback, the function passes these components through JavaScript's eval() function without adequate validation or sanitization. This creates a direct code injection pathway where malicious payloads embedded in the callback array are executed within the application's runtime context.
The attack can be conducted remotely over the network, though the attack complexity is considered high as it requires specific conditions to be met for successful exploitation. No privileges or user interaction are required to exploit this vulnerability, and successful exploitation can result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability is improper input validation in the call_user_func_array function implementation. The function accepts callback arrays that include user-controlled components and fails to sanitize or validate these inputs before passing them to eval(). This allows attackers to craft malicious callback arrays containing JavaScript code that gets executed in the application context.
Attack Vector
The attack vector is network-based, meaning an attacker can exploit this vulnerability remotely without requiring local access to the target system. The exploitation involves sending specially crafted callback arrays to the vulnerable function. When the application processes these arrays, the embedded malicious code is passed to eval() and executed with the same privileges as the application.
The patch for this vulnerability was implemented as part of a complete TypeScript migration of all source files, which included security hardening. The commit shows changes to the project's configuration to support the TypeScript migration:
"!**/*.html",
"!index.d.ts",
"!test/generated",
+ "!test/util/type-contracts.generated.d.ts",
"!website",
"!dist",
"!node_modules",
"!.yarn",
"!src/php/_helpers/_bc.js",
+ "!src/php/_helpers/_bc.ts",
"!src/php/bc"
]
},
Source: GitHub Commit
Detection Methods for CVE-2026-29091
Indicators of Compromise
- Unexpected JavaScript execution or process spawning from applications using Locutus
- Anomalous network connections initiated by Node.js or browser-based applications utilizing the vulnerable library
- Application logs showing unusual callback array structures with embedded code patterns
- Error messages related to eval execution with unexpected input strings
Detection Strategies
- Monitor application dependencies for Locutus versions below 3.0.0 using software composition analysis (SCA) tools
- Implement runtime application self-protection (RASP) to detect and block eval-based code injection attempts
- Review application logs for suspicious callback patterns that may indicate exploitation attempts
- Deploy static application security testing (SAST) tools to identify vulnerable function usage patterns
Monitoring Recommendations
- Enable verbose logging for applications using Locutus to capture callback function invocations
- Implement network-level monitoring for unusual outbound connections from affected applications
- Set up alerts for process creation events that may indicate successful code execution
- Monitor for unexpected file system modifications in application directories
How to Mitigate CVE-2026-29091
Immediate Actions Required
- Upgrade Locutus to version 3.0.0 or later immediately
- Audit applications to identify all instances where call_user_func_array or call_user_func functions are used
- If immediate upgrade is not possible, implement input validation for all callback array parameters
- Consider removing or isolating Locutus functionality until patching is complete
Patch Information
This vulnerability has been patched in Locutus version 3.0.0. The fix was implemented as part of a comprehensive TypeScript migration (commit 977a1fb169441e35996a1d2465b512322de500ad). Users should upgrade to version 3.0.0 or later to remediate this vulnerability.
For more details, refer to the GitHub Security Advisory and the commit containing the fix.
Workarounds
- Avoid using call_user_func_array and call_user_func functions with user-controlled input until the patch is applied
- Implement strict input validation and sanitization for any data passed to callback functions
- Consider using Content Security Policy (CSP) headers to restrict script execution in web applications
- Deploy a web application firewall (WAF) with rules to detect and block code injection patterns
# Update Locutus to patched version
npm update locutus@^3.0.0
# Verify installed version
npm list locutus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
