CVE-2026-32304
Published: 13 March 2026
Summary
CVE-2026-32304 is a critical-severity Code Injection (CWE-94) vulnerability in Locutus Locutus. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like the unsanitized inputs to Locutus' create_function, preventing RCE by updating to version 3.0.14 or later.
Requires scanning for vulnerabilities such as CVE-2026-32304 in third-party libraries like Locutus to identify and prioritize remediation.
Enforces validation of information inputs to functions like create_function to block malicious args and code from reaching the Function constructor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated attackers to achieve arbitrary code execution (RCE) over the network in JavaScript environments like Node.js applications, directly facilitating exploitation of public-facing applications.
NVD Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which…
more
was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Deeper analysisAI
CVE-2026-32304 is a high-severity code injection vulnerability (CWE-94) in the Locutus JavaScript library, which emulates standard libraries from other programming languages for educational purposes. In versions prior to 3.0.14, the create_function(args, code) function passes both arguments directly to the JavaScript Function constructor without sanitization, enabling arbitrary code execution. This issue, published on 2026-03-13, is distinct from CVE-2026-29091, which affected v2.x via call_user_func_array and eval(); it specifically targets the new Function() usage in v3.x. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By supplying malicious args and code parameters to create_function, attackers achieve remote code execution (RCE) in the JavaScript environment where Locutus is loaded, such as browsers or Node.js applications, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability.
The Locutus security advisory (GHSA-vh9h-29pq-r5m8) and release notes for v3.0.14 confirm the vulnerability has been fixed by adding proper sanitization to the create_function implementation. Security practitioners should update to Locutus 3.0.14 or later to mitigate the issue.
Details
- CWE(s)