CVE-2026-32304

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.14

Description Locutus is a JavaScript library that aims to bring standard libraries from other programming languages to JavaScript for educational purposes. The create function(args, code) function in versions prior to 3.0.14 passes both parameters directly to the Function constructor without any sanitization. This allows for arbitrary code execution. The issue resides in the src/php/funchand/create function.ts file, specifically at line 17, where new Function(...params, code) is used without input validation. An attacker who can control either argument to create function() can achieve full remote code execution (RCE). Approximately 597,000 weekly npm downloads are potentially affected. A proof-of-concept (PoC) demonstrates the ability to execute system commands using require("child process").execSync("id") through the vulnerable function. This issue is distinct from CVE-2026-29091, which involved call user func array using eval() in older versions.

Recommendations Update to Locutus version 3.0.14 or later. Remove the create function function. If removal is not possible, replace new Function() with a safe alternative.