CVE-2026-29091
📋 TL;DR
This vulnerability allows remote code execution in applications using Locutus library versions before 3.0.0. Attackers can inject arbitrary JavaScript code through the call_user_func_array function, potentially taking full control of affected systems. Any application using vulnerable Locutus versions is affected.
💻 Affected Systems
- Locutus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, steal sensitive data, install malware, or pivot to other systems.
Likely Case
Application compromise leading to data theft, service disruption, or unauthorized access to backend systems.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially only affecting isolated application components.
🎯 Exploit Status
Exploitation requires attacker to control callback parameters passed to vulnerable functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0
Vendor Advisory: https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6
Restart Required: No
Instructions:
1. Update Locutus to version 3.0.0 or later using npm update locutus. 2. Verify the update with npm list locutus. 3. Test application functionality after update.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation for all parameters passed to call_user_func_array and call_user_func functions.
Function Restriction
allRestrict usage of vulnerable functions to trusted code paths only.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-controlled data
- Isolate applications using vulnerable versions in network segments with restricted access
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list locutus to verify installed version is below 3.0.0Check Version:
npm list locutus | grep locutusVerify Fix Applied:
Confirm locutus version is 3.0.0 or higher with npm list locutus📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns
- Unexpected eval() calls
- Suspicious function invocations
Network Indicators:
- Unusual outbound connections from application servers
- Unexpected data exfiltration patterns
SIEM Query:
source="application_logs" AND ("call_user_func_array" OR "call_user_func") AND suspicious_parameters