PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32304 locutusjs CVE debrief

CVE-2026-32304 is a critical vulnerability in Locutus, a JavaScript library that brings standard libraries of other programming languages to JavaScript for educational purposes. The vulnerability affects versions prior to 3.0.14 and allows arbitrary code execution through the create_function(args, code) function, which passes both parameters directly to the Function constructor without sanitization. This vulnerability is distinct from CVE-2026-29091, which was a call_user_func_array using eval() in v2.x. The vulnerability has a CVSS score of 9.8 and is considered critical. The issue was publicly disclosed on March 13, 2026, and the vendor released a patch on March 13, 2026.

Vendor
locutusjs
Product
locutus
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-13
Original CVE updated
2026-06-30
Advisory published
2026-03-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using Locutus in their applications should be aware of this vulnerability and take immediate action to upgrade to version 3.0.14 or later. Additionally, users of Red Hat products that incorporate Locutus may need to apply patches or updates to mitigate the vulnerability. Security teams should prioritize patching and monitoring for potential exploitation.

Technical summary

The create_function(args, code) function in Locutus passes both parameters directly to the Function constructor without sanitization, allowing an attacker to execute arbitrary code. This vulnerability is particularly severe due to its ability to be exploited remotely without authentication. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-94 (Code Injection) and CWE-88 (Argument Injection or Modification).

Defensive priority

This vulnerability should be prioritized for immediate patching due to its critical severity and potential for remote exploitation. Administrators should ensure that all instances of Locutus are upgraded to version 3.0.14 or later as soon as possible.

Recommended defensive actions

  • Upgrade Locutus to version 3.0.14 or later
  • Apply patches or updates provided by Red Hat for affected products
  • Monitor for potential exploitation attempts
  • Review and update security configurations to prevent exploitation
  • Perform a thorough inventory check to identify all affected systems

Evidence notes

The CVE-2026-32304 vulnerability was publicly disclosed on March 13, 2026, and a patch was released on the same day. The vulnerability affects Locutus versions prior to 3.0.14. The CVSS score of 9.8 indicates a critical severity. The vulnerability allows arbitrary code execution through the create_function(args, code) function.

Official resources

This article is AI-assisted and based on the supplied source corpus.