Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
2. locutus: Locutus: Remote Code Execution via insecure callback function implementation
A flaw was found in Locutus, a project that brings standard libraries of other programming languages to JavaScript. A remote attacker could exploit an insecure implementation of the `call_user_func_array` function, which fails to properly validate all components of a callback array before passing them to the eval method. This vulnerability allows the attacker to inject arbitrary JavaScript code into the application's runtime environment, leading to remote code execution.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.