CRITICAL🇵🇱 Wersja polska

CVE-2026-32304

CVSS 9.8v3.1pub. 2026-03-13upd. 2026-06-30

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

🤖 AI Analysis
How it works

The create_function(args, code) function passes both its parameters directly to the JavaScript Function() constructor without any sanitization. An attacker can supply crafted data as function arguments, resulting in dynamic creation and execution of arbitrary JavaScript code. This is a separate vulnerability from CVE-2026-29091, which affected the call_user_func_array function using eval() in the v2.x branch — this issue concerns the create_function function using new Function() in the v3.x branch.

Impact

An attacker can execute arbitrary code on the server or client side in the context of an application using the Locutus library, which may lead to complete system compromise, sensitive data leakage, or violation of application integrity.

Mitigation & patch

Update the Locutus library to version 3.0.14 or later, in which the vulnerability has been fixed. Details are available in the vendor references: https://github.com/locutusjs/locutus/releases/tag/v3.0.14

Who is affected

Locutus versions before 3.0.14 (v3.x branch)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Locutus

    APP
    Locutus
    < 3.0.14
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-25521CRITICAL9.4PL ✓ten sam produkt

Prototype pollution w bibliotece Locutus (JavaScript stdlibs)

CVE-2020-7719CRITICAL9.8ten sam produkt

Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str ...

CVE-2026-29091HIGH8.1ten sam produkt

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...

CVE-2026-33993MEDIUM6.9ten sam produkt

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...

CVE-2026-33994MEDIUM6.3ten sam produkt

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in vers...