Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection
Vulnerability Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
Vulnerability Title
Locutus 安全漏洞
Vulnerability Description
Locutus是Locutus开源的一个JavaScript代码库。 Locutus 3.0.0之前版本存在安全漏洞,该漏洞源于call_user_func_array函数实现不安全,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A