CVE-2026-32304
Arbitrary Code Execution in Locutus create_function via Unsafe Function Constructor
Publication date: 2026-03-13
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| locutus | locutus | to 3.0.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the locutus package to version 3.0.14 or later, where the vulnerable create_function module has been completely removed.
If upgrading immediately is not possible, remove or replace any usage of the create_function function in your codebase to avoid passing unsanitized input to the Function constructor.
Avoid using dynamic code execution methods like new Function() with untrusted input.
Monitor your systems for any signs of exploitation attempts, such as unexpected command executions or unusual behavior in applications using locutus.
Can you explain this vulnerability to me?
CVE-2026-32304 is a critical remote code execution vulnerability in the npm package locutus, affecting versions up to 3.0.13. It occurs in the create_function(args, code) function, which passes both parameters directly to the JavaScript Function constructor without any sanitization or validation.
This lack of input validation allows an attacker who can control either argument to execute arbitrary code remotely, including running system commands via Node.js.
The vulnerability is distinct from a previous issue (CVE-2026-29091) and was fixed in locutus version 3.0.14 by removing the vulnerable create_function module.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code remotely without any privileges or user interaction.
- An attacker can run system commands on the affected system, potentially gaining full control.
- It poses a critical risk to confidentiality, integrity, and availability of the affected system.
Because the attack vector is network-based and requires no privileges, any system using vulnerable versions of locutus is at high risk of compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the use of the create_function(args, code) function in locutus versions prior to 3.0.14, which passes parameters directly to the JavaScript Function constructor without sanitization, allowing arbitrary code execution.
To detect if your system is vulnerable, first check the installed version of the locutus package. If it is version 3.0.13 or earlier, it is affected.
- Run the command `npm list locutus` or `npm ls locutus` in your project directory to determine the installed version.
- Search your codebase for usage of the create_function function, especially calls that pass dynamic arguments to it.
- If you have access to runtime logs or monitoring, look for suspicious executions of the Function constructor or unexpected system commands being run via Node.js child_process.execSync.
There is no direct network detection signature mentioned, but monitoring for unusual remote code execution attempts or unexpected command executions related to locutus usage could help.