CVE-2026-32304

CriticalPublic PoC

Published: 13 March 2026

Published

13 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which…

was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like the unsanitized inputs to Locutus' create_function, preventing RCE by updating to version 3.0.14 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires scanning for vulnerabilities such as CVE-2026-32304 in third-party libraries like Locutus to identify and prioritize remediation.

SI-10 Information Input Validation partial match

prevent

Enforces validation of information inputs to functions like create_function to block malicious args and code from reaching the Function constructor.

Security SummaryAI

CVE-2026-32304 is a high-severity code injection vulnerability (CWE-94) in the Locutus JavaScript library, which emulates standard libraries from other programming languages for educational purposes. In versions prior to 3.0.14, the create_function(args, code) function passes both arguments directly to the JavaScript Function constructor without sanitization, enabling arbitrary code execution. This issue, published on 2026-03-13, is distinct from CVE-2026-29091, which affected v2.x via call_user_func_array and eval(); it specifically targets the new Function() usage in v3.x. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By supplying malicious args and code parameters to create_function, attackers achieve remote code execution (RCE) in the JavaScript environment where Locutus is loaded, such as browsers or Node.js applications, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability.

The Locutus security advisory (GHSA-vh9h-29pq-r5m8) and release notes for v3.0.14 confirm the vulnerability has been fixed by adding proper sanitization to the create_function implementation. Security practitioners should update to Locutus 3.0.14 or later to mitigate the issue.

Details

CWE(s): CWE-94

Affected Products

locutus

≤ 3.0.14

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated attackers to achieve arbitrary code execution (RCE) over the network in JavaScript environments like Node.js applications, directly facilitating exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Product, Release Notes · security-advisories@github.com
https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8
Exploit, Mitigation, Patch, Vendor Advisory · security-advisories@github.com