CVE-2026-29091

CVE-2026-29091 is a remote code execution (RCE) vulnerability in the Locutus project, a JavaScript library that ports standard libraries from other programming languages for educational purposes. The flaw affects versions prior to 3.0.0 and resides in the implementation of the call_user_func_array function and its wrapper call_user_func. Due to insufficient validation of callback array components, the functions pass untrusted input directly to eval(), enabling arbitrary JavaScript code injection into the application's runtime environment. The issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

A remote attacker without privileges can exploit this vulnerability over the network by supplying a specially crafted callback array to the affected functions. Exploitation requires high attack complexity but no user interaction. Successful exploitation grants the attacker the ability to execute arbitrary JavaScript code within the application's runtime, potentially leading to high confidentiality, integrity, and availability impacts, such as data theft, modification, or denial of service.

The vulnerability has been patched in Locutus version 3.0.0, as detailed in the project's GitHub security advisory (GHSA-fp25-p6mj-qqg6) and the specific commit (977a1fb169441e35996a1d2465b512322de500ad). Security practitioners should upgrade to version 3.0.0 or later to mitigate the issue.