Vulnerability Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Locutus | Locutus | < 3.0.14 |
Related Weaknesses (CWE)
References
- https://github.com/locutusjs/locutus/releases/tag/v3.0.14ProductRelease Notes
- https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8ExploitMitigationPatch
FAQ
What is CVE-2026-32304?
CVE-2026-32304 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function ...
How severe is CVE-2026-32304?
CVE-2026-32304 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-32304?
Check the references section above for vendor advisories and patch information. Affected products include: Locutus Locutus.