DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32304: CVE-2026-32304: Remote Code Execution via Code Injection in Locutus create_function

#security #cve #cybersecurity

CVE-2026-32304: Remote Code Execution via Code Injection in Locutus create_function

Vulnerability ID: CVE-2026-32304
CVSS Score: 9.8
Published: 2026-03-13

Locutus versions prior to 3.0.14 contain a critical remote code execution vulnerability in the PHP compatibility layer. The create_function implementation improperly constructs dynamic JavaScript functions using unsanitized user input, leading to arbitrary code execution through the Function constructor.

TL;DR

Unsanitized input passed to the new Function() constructor in Locutus create_function allows attackers to execute arbitrary JavaScript code. The vulnerability is fixed in version 3.0.14 by completely removing the vulnerable module.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network
  • CVSS Score: 9.8
  • EPSS Score: 0.00078
  • Impact: Remote Code Execution
  • Exploit Status: PoC Available
  • CISA KEV: No

Affected Systems

  • Node.js server applications utilizing Locutus
  • Client-side web applications utilizing Locutus
  • Locutus: < 3.0.14 (Fixed in: 3.0.14)

Code Analysis

Commit: 412fdb1

Fix CVE-2026-32304 by completely removing the create_function module and updating var_export to use static placeholders.

Mitigation Strategies

  • Upgrade Locutus to version 3.0.14 or later.
  • Refactor application code to remove dependencies on locutus/php/funchand/create_function.
  • Implement static analysis (e.g., eslint-plugin-security) to detect unsafe usage of new Function() and eval().

Remediation Steps:

  1. Identify all projects utilizing the Locutus library.
  2. Execute npm install locutus@latest to apply the patch.
  3. Search the codebase for imports or invocations of create_function.
  4. Replace dynamic function generation with standard JavaScript closures or arrow functions.
  5. Execute test suites to verify application functionality after the removal of the dependency.

References

Read the full report for CVE-2026-32304 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)