External risk intelligence

Locutus create_function Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-32304

Locutus is a library intended for educational purposes that provides standard libraries from other programming languages to JavaScript. As a development library or dependency integrated into applications for specific utility functions, it is not an internet-facing service, appliance, or gateway, and lacks a public-facing deployment pattern.

Code Injection

Locutus

before 3.0.14

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the locutus library, which is used for educational purposes to bring standard libraries from other programming languages to JavaScript. The flaw allows for arbitrary code execution by passing unsanitized parameters to the Function constructor. This could potentially impact applications that utilize this library in their development.

  • Code execution flaw in a JavaScript library.
  • Critical issue impacting educational library usage.
  • Confirm relevance and exposure for affected systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to a JavaScript application that uses a vulnerable version of the locutus library. The application's `create_function` feature does not properly sanitize arguments before passing them to the JavaScript `Function` constructor. This allows an attacker to inject and execute arbitrary code on the server.

  • No authentication needed.
  • Triggered by calling `create_function`.
  • Enables arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

The `create_function` function in Locutus, when used with the `Function` constructor, could allow an attacker to execute arbitrary code. This could occur if the application improperly sanitizes input passed to this function, potentially leading to unauthorized actions or system compromise. There is no explicit indication of personal or sensitive data exposure from the provided context.

  • Arbitrary code execution.
  • Malicious input to `create_function`.
  • System compromise or unauthorized actions.

Operational Fix

Recommended remediation, mitigation, and detection steps

The locutus JavaScript library's create_function capability is susceptible to arbitrary code execution. Technical leaders should direct application owners and platform teams to identify all instances of this library, confirm exposure and criticality, and then coordinate remediation with affected teams, potentially involving vendor coordination for updates.

  • Application owners should prioritize this issue.
  • Verify all locutus deployments and exposures.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Locutus library?

Locutus is a JavaScript library designed for educational use. It helps developers learn by porting standard library functions from other programming languages into the JavaScript ecosystem. Because it mimics diverse language features, it is often included as a project dependency to provide specific utility functions rather than serving as a standalone application.

How does CVE-2026-32304 cause arbitrary code execution?

This vulnerability is classified as Improper Control of Generation of Code (CWE-94). Within the affected versions, the create_function feature takes input parameters and passes them directly to the underlying JavaScript Function constructor without any sanitization. This allows an attacker to inject and execute their own code within the context of the application using the library.

When can an attacker trigger this vulnerability?

The flaw is triggered when an application passes unvalidated, attacker-supplied data into the create_function function. The vulnerability does not activate if the library is used solely with hardcoded or trusted internal strings. It requires the application to take external input and process it through the vulnerable function call.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that exploitation is very unlikely for most environments. Because Locutus is a developer-focused utility library rather than an internet-facing gateway, service, or appliance, it typically does not present a direct, public-facing attack surface that would be accessible to remote, unauthenticated actors.

What should I do if I use Locutus in my project?

You should verify your project's dependency tree to identify if you are using a version of Locutus prior to 3.0.14. If you are, plan to update to version 3.0.14 or later, which contains the necessary security fixes. Coordinate this update with your development team to ensure compatibility while removing the unsafe function handling.

References