CVE-2026-32304 in locutus
Summary
by MITRE • 03/13/2026
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32304 resides within the Locutus library, a tool designed to provide standard library implementations from various programming languages within JavaScript environments for educational purposes. This library serves as a bridge between different programming paradigms, allowing developers to understand language constructs through JavaScript implementations. The specific flaw manifests in version 3.0.14 and earlier releases where the create_function function operates with a critical security oversight that fundamentally compromises system integrity. The vulnerability represents a direct consequence of insufficient input validation and sanitization mechanisms within the library's core functionality.
The technical implementation of this vulnerability stems from the create_function function's use of JavaScript's Function constructor without any form of parameter sanitization or validation. When developers invoke create_function with arguments and code parameters, the library directly passes these inputs to the Function constructor which then evaluates them as executable JavaScript code. This pattern creates an immediate code injection vector where malicious actors can inject arbitrary JavaScript code through the function parameters. The vulnerability is classified under CWE-94, which specifically addresses "Improper Control of Generation of Code ('Code Injection')" and represents a variant of the more general CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component." The use of the Function constructor instead of eval() does not mitigate the risk, as both mechanisms provide direct code execution capabilities when unvalidated inputs are passed.
The operational impact of this vulnerability extends far beyond simple code execution, creating a comprehensive attack surface that could allow adversaries to compromise systems running applications utilizing the affected library. Attackers could potentially execute malicious payloads including data exfiltration scripts, system command execution, or even establish persistent backdoors within affected environments. The vulnerability affects any application that relies on Locutus for creating dynamic functions, particularly in server-side JavaScript environments where the library might be used to implement dynamic code generation features. The attack vector is particularly dangerous because it requires no complex exploitation techniques, relying instead on the fundamental flaw in parameter handling that allows arbitrary code to be executed within the JavaScript runtime context. This vulnerability aligns with ATT&CK technique T1059.007, "Command and Scripting Interpreter: JavaScript,' which describes how adversaries leverage JavaScript execution capabilities to perform malicious activities.
The remediation for CVE-2026-32304 requires immediate updating of the Locutus library to version 3.0.14 or later, where the vulnerability has been addressed through proper input sanitization and parameter validation. Security teams should conduct comprehensive audits of all systems utilizing this library to identify potential exploitation attempts and ensure that all affected applications have been updated. Organizations should implement monitoring for suspicious function calls and parameter usage patterns that might indicate attempted exploitation. The fix demonstrates the importance of input validation and the principle of least privilege in code generation functions, as proper sanitization of user-provided inputs before passing them to dynamic code execution mechanisms prevents this class of vulnerability. Additionally, security practitioners should consider implementing runtime protection mechanisms such as Content Security Policy headers and sandboxing techniques to provide defense-in-depth against similar vulnerabilities in other libraries or applications that might exhibit similar patterns of insecure code generation.