{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32304", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.659Z", "datePublished": "2026-03-12T21:24:51.730Z", "dateUpdated": "2026-03-13T13:12:13.553Z"}, "containers": {"cna": {"title": "Locutus: RCE via unsanitized input in create_function()", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8"}, {"name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14"}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"version": "< 3.0.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T21:24:51.730Z"}, "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14."}], "source": {"advisory": "GHSA-vh9h-29pq-r5m8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T13:12:02.296127Z", "id": "CVE-2026-32304", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:12:13.553Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32304", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T13:12:02.296127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:12:09.830Z"}}], "cna": {"title": "Locutus: RCE via unsanitized input in create_function()", "source": {"advisory": "GHSA-vh9h-29pq-r5m8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"status": "affected", "version": "< 3.0.14"}]}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8", "name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14", "name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T21:24:51.730Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32304", "state": "PUBLISHED", "dateUpdated": "2026-03-13T13:12:13.553Z", "dateReserved": "2026-03-11T21:16:21.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T21:24:51.730Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "96DC0599-8FE6-45BD-AE3C-A76DE784C161", "versionEndExcluding": "3.0.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14."}], "id": "CVE-2026-32304", "lastModified": "2026-03-19T13:48:33.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:41.830", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.14"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "locutusjs: Locutus: Arbitrary code execution via unsanitized parameters in create_function", "id": "2447200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447200"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Locutus, a JavaScript library that provides standard library functions. The `create_function` function in Locutus passes user-supplied arguments and code directly to the JavaScript `Function` constructor without proper sanitization. This vulnerability allows a remote attacker to execute arbitrary code within the application, potentially leading to full system compromise or data manipulation."], "name": "CVE-2026-32304", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-03-12T21:24:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32304\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32304\nhttps://github.com/locutusjs/locutus/releases/tag/v3.0.14\nhttps://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.14)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "locutus", "source": "cna", "vendor": "locutusjs"}, "product": "locutus", "vendor": "locutus"}], "analysis": {"en": {"generated_at": "2026-03-19T16:12:07.537752+00:00", "value": {"mitigation_remediation": ["Upgrade locutus to version 3.0.14 or later.", "If an upgrade is not immediately possible, remove or neutralize any use of create_function in your codebase to prevent unsanitized input from being passed to the Function constructor."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the locutusjs:locutus library used in Node.js environments. All releases prior to 3.0.14 are impacted. The fix was introduced in version 3.0.14; any project that incorporates older versions of Locutus is susceptible.\\n", "description_and_impact": "Locutus is a JavaScript library that emulates standard libraries from other languages for educational use. In versions before 3.0.14, the create_function(args, code) helper forwards both parameters directly to the JavaScript Function constructor without any sanitization. This lack of validation allows an attacker to inject arbitrary JavaScript code that will be executed with the privileges of the running Node.js process. The weakness corresponds to CWE-88 (Function Injection) and CWE-94 (Eval Injection). The practical consequence is Remote Code Execution, meaning an attacker can run any code, manipulate data, or further compromise the host system. The vulnerability is distinct from earlier versions that used eval.\\n", "risk_and_exploitability": "The CVSS score is 9.8, indicating a high severity and full remote exploitation scope. The EPSS score is reported as less than 1%, suggesting that publicly exploited instances are rare, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is straightforward: any code that calls locutus.create_function with user-controllable arguments can trigger the dangerous Function constructor. Consequently, the risk is high for projects that use Locutus without restricting the input to create_function, and exploitation is feasible with minimal effort if the library is included and the function called. The combination of high severity and low public exploitation probability underscores the importance of rapid remediation.\\n"}}}}, "created": "2026-03-13T09:49:41.726190+00:00", "updated": "2026-03-23T10:00:18.262909+00:00", "vendors": ["locutus", "locutus$PRODUCT$locutus"]}