Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/locutus@3.0.0 |
|---|
| Type | npm |
|---|
| Namespace | |
|---|
| Name | locutus |
|---|
| Version | 3.0.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-jsj8-tpk2-sbay |
| vulnerability_id |
VCID-jsj8-tpk2-sbay |
| summary |
locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection
If exploited, this issue allows attackers to execute arbitrary JavaScript code in the Node.js process. It occurs when applications pass untrusted array callbacks to call_user_func_array(), a practice common in JSON-RPC setups and PHP-to-JavaScript porting layers. Since the library fails to properly sanitize inputs, this is considered a supplier defect rather than an integration error.
This flaw has been exploited in practice, but it is not a "drive-by" vulnerability. It only arises when an application serves as a gateway or router using Locutus functions.
Finally, if an attacker can control `cb[0]` without regex constraints, they could use `global` or `process` directly. However, Locutus protects `cb[0]`. This `cb[1]` injection is the *_only_* way to bypass the intended security controls of the library. It is a "bypass" of the library's own protection.
------ |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-29091, GHSA-fp25-p6mj-qqg6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jsj8-tpk2-sbay |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/locutus@3.0.0 |
|---|