CVE-2026-32304
published 2026-03-13CVE-2026-32304: Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.9th percentile
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| locutus | locutus | < 3.0.14 | 3.0.14 |
| locutus | locutus | >= 0 < 3.0.14 | 3.0.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable function is `create_function(args, code)` in Locutus v3.x, which passes both parameters directly to the JavaScript `Function` constructor (`new Function()`) without sanitization, enabling arbitrary code execution. ↗
- →Monitor for invocations of `create_function` in JavaScript environments using the Locutus library (locutusjs), particularly where user-controlled input is passed as arguments or code parameters to `new Function()`. ↗
- ·This CVE (create_function via new Function() in v3.x) is distinct from CVE-2026-29091, which involved call_user_func_array using eval() in v2.x. Ensure detection rules target the correct Locutus version branch (v3.x) and the correct sink (new Function(), not eval()). ↗
- ·Multiple Red Hat OpenShift Logging Subsystem packages are affected but marked 'Will not fix', meaning patching to Locutus 3.0.14 may not be available through those package channels. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Locutus vulnerable to RCE via unsanitized input in create_function()
ghsa·2026-03-13·CVSS 8.1
CVE-2026-32304 [HIGH] CWE-94 Locutus vulnerable to RCE via unsanitized input in create_function()
Locutus vulnerable to RCE via unsanitized input in create_function()
## Summary
The `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution.
This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x.
## Root Cause
`src/php/funchand/create_function.ts:17`:
```typescript
return new Function(...params, code)
```
Zero input validation on either parameter.
## PoC
```javascript
const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(r
OSV
Locutus vulnerable to RCE via unsanitized input in create_function()
osv·2026-03-13·CVSS 8.1
CVE-2026-32304 [HIGH] Locutus vulnerable to RCE via unsanitized input in create_function()
Locutus vulnerable to RCE via unsanitized input in create_function()
## Summary
The `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution.
This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x.
## Root Cause
`src/php/funchand/create_function.ts:17`:
```typescript
return new Function(...params, code)
```
Zero input validation on either parameter.
## PoC
```javascript
const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(r
Red Hat
locutusjs: Locutus: Arbitrary code execution via unsanitized parameters in create_function
vendor_redhat·2026-03-12·CVSS 8.1
CVE-2026-32304 [HIGH] CWE-88 locutusjs: Locutus: Arbitrary code execution via unsanitized parameters in create_function
locutusjs: Locutus: Arbitrary code execution via unsanitized parameters in create_function
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
A flaw was found in Locutus, a JavaScript library that provides standard library functions. The `create_function` function in Locutus passes user-supplied arguments and code directly to the JavaScript `Function` constructor without proper
No detection rules found.
No public exploits indexed.
https://github.com/locutusjs/locutus/releases/tag/v3.0.14https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8https://access.redhat.com/security/cve/CVE-2026-32304https://bugzilla.redhat.com/show_bug.cgi?id=2447200https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32304.json
2026-03-13
Published