CVE-2026-32304

Опубликовано: 13 мар. 2026

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Ссылки

https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Product
Release Notes
https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8
Exploit
Mitigation
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*

Версия до 3.0.14 (исключая)

EPSS

Процентиль: 28%

0.00104

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-94

Связанные уязвимости

CVE-2026-32304

CVSS3: 7.5

redhat

14 дней назад

A flaw was found in Locutus, a JavaScript library that provides standard library functions. The `create_function` function in Locutus passes user-supplied arguments and code directly to the JavaScript `Function` constructor without proper sanitization. This vulnerability allows a remote attacker to execute arbitrary code within the application, potentially leading to full system compromise or data manipulation.

GHSA-vh9h-29pq-r5m8