CVE-2026-32304: Locutus vulnerable to RCE via unsanitized input in create_function()

March 13, 2026 (updated March 16, 2026)

The create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution.

This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x.

References

github.com/advisories/GHSA-vh9h-29pq-r5m8
github.com/locutusjs/locutus
github.com/locutusjs/locutus/releases/tag/v3.0.14
github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8
nvd.nist.gov/vuln/detail/CVE-2026-32304

Code Behaviors & Features

Detect and mitigate CVE-2026-32304 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →