{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29091", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.707Z", "datePublished": "2026-03-06T17:48:10.442Z", "dateUpdated": "2026-03-06T18:34:27.477Z"}, "containers": {"cna": {"title": "Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6"}, {"name": "https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad"}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"version": "< 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:48:10.442Z"}, "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0."}], "source": {"advisory": "GHSA-fp25-p6mj-qqg6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:34:23.537452Z", "id": "CVE-2026-29091", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:34:27.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29091", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:34:23.537452Z"}}}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:34:17.673Z"}}], "cna": {"title": "Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection", "source": {"advisory": "GHSA-fp25-p6mj-qqg6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"status": "affected", "version": "< 3.0.0"}]}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6", "name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad", "name": "https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:48:10.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29091", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:34:27.477Z", "dateReserved": "2026-03-03T21:54:06.707Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T17:48:10.442Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "202D3F00-F947-4F25-A0AF-EBB9FEBB7ECC", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0."}, {"lang": "es", "value": "Locutus trae las stdlibs de otros lenguajes de programaci\u00f3n a JavaScript con fines educativos. Antes de la versi\u00f3n 3.0.0, una falla de ejecuci\u00f3n remota de c\u00f3digo (RCE) fue descubierta en el proyecto locutus, espec\u00edficamente dentro de la implementaci\u00f3n de la funci\u00f3n call_user_func_array. La vulnerabilidad permite a un atacante inyectar c\u00f3digo JavaScript arbitrario en el entorno de ejecuci\u00f3n de la aplicaci\u00f3n. Este problema se deriva de una implementaci\u00f3n insegura de la funci\u00f3n call_user_func_array (y su envoltorio call_user_func), que no valida correctamente todos los componentes de un array de callback antes de pasarlos a eval(). Este problema ha sido parcheado en la versi\u00f3n 3.0.0."}], "id": "CVE-2026-29091", "lastModified": "2026-03-13T19:07:16.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T18:16:20.257", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "locutus: Locutus: Remote Code Execution via insecure callback function implementation", "id": "2445262", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445262"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in Locutus, a project that brings standard libraries of other programming languages to JavaScript. A remote attacker could exploit an insecure implementation of the `call_user_func_array` function, which fails to properly validate all components of a callback array before passing them to the eval method. This vulnerability allows the attacker to inject arbitrary JavaScript code into the application's runtime environment, leading to remote code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-29091", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-03-06T17:48:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29091\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29091\nhttps://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad\nhttps://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "locutus", "source": "cna", "vendor": "locutusjs"}, "product": "locutus", "vendor": "locutus"}], "analysis": {"en": {"generated_at": "2026-04-16T11:16:49.222564+00:00", "value": {"mitigation_remediation": ["Update the locutus library to version 3.0.0 or later, which removes the vulnerable call_user_func_array implementation.", "Audit any dependent code to ensure that no unvalidated or untrusted data is passed to eval-like functions provided by locutus or other libraries.", "Replace the vulnerable functions with safe alternatives that perform strict validation, ensuring callback components are only function references from your codebase.", "Monitor application logs for unexpected eval activity and apply runtime monitoring to detect unauthorized code execution attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source library locutus, which exposes standard libraries of other languages to JavaScript. Versions older than 3.0.0 contain the vulnerable implementation. The library is typically used in Node.js environments, but can also be embedded in browser contexts. Any deployment of locutus prior to 3.0.0, regardless of installed Node.js version, is at risk.", "description_and_impact": "The bug lies in the implementation of call_user_func_array (and its alias call_user_func), which naively forwards parts of a callback array to eval() after failing to validate them fully. This omission permits an attacker to provide crafted JavaScript code that is executed with the privileges of the running application, leading to remote code execution. The weakness is categorized as CWE-94 (Code Injection) and CWE-95 (Eval Injection).", "risk_and_exploitability": "CVSS core score of 8.1 indicates a high\u2011severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently unlikely to be widespread, and the flaw is not listed in the CISA KEV catalog. Nonetheless, because the bug allows arbitrary code execution, defenders should treat it as a high risk threat vector. An attacker could exploit the flaw remotely by injecting malicious payloads into a callback array that the application passes to call_user_func_array, which is then evaluated."}}}}, "created": "2026-03-09T10:07:13.082162+00:00", "updated": "2026-04-16T11:30:15.894108+00:00", "vendors": ["locutus", "locutus$PRODUCT$locutus"]}