Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Published: 2026-03-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Locutus is a JavaScript library that emulates standard libraries from other languages for educational use. In versions before 3.0.14, the create_function(args, code) helper forwards both parameters directly to the JavaScript Function constructor without any sanitization. This lack of validation allows an attacker to inject arbitrary JavaScript code that will be executed with the privileges of the running Node.js process. The weakness corresponds to CWE-88 (Function Injection) and CWE-94 (Eval Injection). The practical consequence is Remote Code Execution, meaning an attacker can run any code, manipulate data, or further compromise the host system. The vulnerability is distinct from earlier versions that used eval.\n

Affected Systems

The vulnerability affects the locutusjs:locutus library used in Node.js environments. All releases prior to 3.0.14 are impacted. The fix was introduced in version 3.0.14; any project that incorporates older versions of Locutus is susceptible.\n

Risk and Exploitability

The CVSS score is 9.8, indicating a high severity and full remote exploitation scope. The EPSS score is reported as less than 1%, suggesting that publicly exploited instances are rare, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is straightforward: any code that calls locutus.create_function with user-controllable arguments can trigger the dangerous Function constructor. Consequently, the risk is high for projects that use Locutus without restricting the input to create_function, and exploitation is feasible with minimal effort if the library is included and the function called. The combination of high severity and low public exploitation probability underscores the importance of rapid remediation.\n

Generated by OpenCVE AI on March 19, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade locutus to version 3.0.14 or later.
  • If an upgrade is not immediately possible, remove or neutralize any use of create_function in your codebase to prevent unsanitized input from being passed to the Function constructor.

Generated by OpenCVE AI on March 19, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vh9h-29pq-r5m8 Locutus vulnerable to RCE via unsanitized input in create_function()
History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 13 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Locutus
Locutus locutus
Vendors & Products Locutus
Locutus locutus

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Title Locutus: RCE via unsanitized input in create_function()
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Locutus Locutus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T13:12:13.553Z

Reserved: 2026-03-11T21:16:21.659Z

Link: CVE-2026-32304

cve-icon Vulnrichment

Updated: 2026-03-13T13:12:09.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:41.830

Modified: 2026-03-19T13:48:33.690

Link: CVE-2026-32304

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-12T21:24:51Z

Links: CVE-2026-32304 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:18Z

Weaknesses