CVE-2026-29091: locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection
(updated )
If exploited, this issue allows attackers to execute arbitrary JavaScript code in the Node.js process. It occurs when applications pass untrusted array callbacks to call_user_func_array(), a practice common in JSON-RPC setups and PHP-to-JavaScript porting layers. Since the library fails to properly sanitize inputs, this is considered a supplier defect rather than an integration error.
This flaw has been exploited in practice, but it is not a “drive-by” vulnerability. It only arises when an application serves as a gateway or router using Locutus functions.
Finally, if an attacker can control cb[0] without regex constraints, they could use global or process directly. However, Locutus protects cb[0]. This cb[1] injection is the only way to bypass the intended security controls of the library. It is a “bypass” of the library’s own protection.
References
- developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
- github.com/advisories/GHSA-fp25-p6mj-qqg6
- github.com/locutusjs/locutus
- github.com/locutusjs/locutus/blob/main/src/php/funchand/call_user_func_array.js
- github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad
- github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6
- nvd.nist.gov/vuln/detail/CVE-2026-29091
Code Behaviors & Features
Detect and mitigate CVE-2026-29091 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →