CVE-2026-32304
Received Received - Intake
Arbitrary Code Execution in Locutus create_function via Unsafe Function Constructor

Publication date: 2026-03-13

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32304
EUVD
EUVD-2026-11718
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locutus locutus to 3.0.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade the locutus package to version 3.0.14 or later, where the vulnerable create_function module has been completely removed.

If upgrading immediately is not possible, remove or replace any usage of the create_function function in your codebase to avoid passing unsanitized input to the Function constructor.

Avoid using dynamic code execution methods like new Function() with untrusted input.

Monitor your systems for any signs of exploitation attempts, such as unexpected command executions or unusual behavior in applications using locutus.

Executive Summary

CVE-2026-32304 is a critical remote code execution vulnerability in the npm package locutus, affecting versions up to 3.0.13. It occurs in the create_function(args, code) function, which passes both parameters directly to the JavaScript Function constructor without any sanitization or validation.

This lack of input validation allows an attacker who can control either argument to execute arbitrary code remotely, including running system commands via Node.js.

The vulnerability is distinct from a previous issue (CVE-2026-29091) and was fixed in locutus version 3.0.14 by removing the vulnerable create_function module.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely without any privileges or user interaction.

  • An attacker can run system commands on the affected system, potentially gaining full control.
  • It poses a critical risk to confidentiality, integrity, and availability of the affected system.

Because the attack vector is network-based and requires no privileges, any system using vulnerable versions of locutus is at high risk of compromise.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from the use of the create_function(args, code) function in locutus versions prior to 3.0.14, which passes parameters directly to the JavaScript Function constructor without sanitization, allowing arbitrary code execution.

To detect if your system is vulnerable, first check the installed version of the locutus package. If it is version 3.0.13 or earlier, it is affected.

  • Run the command `npm list locutus` or `npm ls locutus` in your project directory to determine the installed version.
  • Search your codebase for usage of the create_function function, especially calls that pass dynamic arguments to it.
  • If you have access to runtime logs or monitoring, look for suspicious executions of the Function constructor or unexpected system commands being run via Node.js child_process.execSync.

There is no direct network detection signature mentioned, but monitoring for unusual remote code execution attempts or unexpected command executions related to locutus usage could help.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart