CVE-2026-32304: Locutus

Overview

A critical security vulnerability, tracked as CVE-2026-32304, has been discovered in the Locutus project. Locutus is a software library that brings standard libraries from other programming languages to JavaScript for educational use. The flaw allows for arbitrary code execution, posing a severe risk to applications that use a vulnerable version of this library.

Vulnerability Details

In versions prior to 3.0.14, the create_function(args, code) function within Locutus passes its input parameters directly to JavaScript’s built-in Function constructor without any sanitization or validation. This means an attacker who can control the input to this function-for example, through user-supplied data-can inject and execute arbitrary JavaScript code on the server or in the user’s browser, depending on where Locutus is running.

This is a distinct issue from the previously patched CVE-2026-29091, which involved the eval() function in version 2.x. This new finding specifically affects the create_function implementation using new Function() in the 3.x branch.

Potential Impact

The impact of this vulnerability is critical. Successful exploitation could lead to:

• Full compromise of the server hosting the vulnerable application.
• Unauthorized access to sensitive data and file systems.
• A complete takeover of the application’s functionality.
• Use of the server as a foothold for further attacks within a network.

For applications running in a browser context, it could lead to client-side attacks like session hijacking. Given the high attack vector and low complexity of exploitation, this vulnerability has received a CVSS score of 9.8 (CRITICAL). For context on how such vulnerabilities can lead to real-world incidents, recent data breach reports are available at breach reports.

Remediation and Mitigation

The primary and only complete mitigation is to update the Locutus library immediately.

Action Required:

1. Upgrade: All users must upgrade to Locutus version 3.0.14 or later, where this vulnerability has been patched.
2. Check Dependencies: Verify your project’s dependencies using commands like npm list locutus or by checking your package.json file. Ensure no transient dependencies are pulling in an older, vulnerable version.
3. Audit Code: Review your application code for any use of the create_function method from Locutus to understand potential exposure points.

There is no effective workaround for this vulnerability without applying the official patch. Delaying the update leaves your systems exposed to remote code execution attacks. For ongoing updates on such critical vulnerabilities, you can follow the latest developments at security news. System administrators and developers should prioritize this update to prevent potential system compromise.