CVE-2026-32304 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the locutus JavaScript library, which provides standard library functions from other programming languages for educational use. The vulnerability exists in the create_function(args, code) function prior to version 3.0.14, where both parameters are passed directly to the JavaScript Function constructor without any sanitization or validation. This unsafe practice allows an attacker to inject arbitrary JavaScript code that will be executed in the context of the application using locutus. Unlike the related CVE-2026-29091 affecting version 2.x via eval(), this issue specifically involves the new Function() constructor in version 3.x. The exploitation requires no authentication or user interaction and can be triggered remotely if untrusted input reaches create_function. The vulnerability impacts confidentiality, integrity, and availability by enabling full arbitrary code execution, potentially leading to data theft, system compromise, or denial of service. The flaw is resolved in locutus version 3.0.14 by implementing proper input sanitization or removing unsafe code generation practices. No public exploits have been reported yet, but the high CVSS score (9.8) indicates critical severity and ease of exploitation.

The vulnerability allows remote attackers to execute arbitrary code within applications using vulnerable versions of locutus, potentially leading to complete system compromise. This can result in unauthorized data access, modification, or destruction, as well as the deployment of malware or ransomware. Since locutus is used primarily for educational purposes and to provide standard libraries from other languages in JavaScript, the impact is especially critical in development, testing, or educational environments where malicious code execution could propagate or be leveraged to attack other systems. The lack of authentication or user interaction requirements increases the risk of automated exploitation. Organizations relying on locutus in production or development pipelines may face significant operational disruption and security breaches if this vulnerability is exploited.

1. Immediately upgrade locutus to version 3.0.14 or later, where the vulnerability is fixed. 2. Audit all codebases and dependencies to identify usage of create_function and replace or refactor any calls that pass untrusted input to the Function constructor. 3. Implement strict input validation and sanitization for any dynamic code generation or execution features. 4. Employ runtime application self-protection (RASP) or JavaScript sandboxing techniques to limit the impact of potential code injection. 5. Monitor application logs and network traffic for unusual behavior indicative of exploitation attempts, such as unexpected code execution or outbound connections. 6. Educate developers about the risks of dynamic code generation and encourage safer coding practices. 7. If upgrading is not immediately possible, consider applying temporary mitigations such as restricting access to vulnerable components or disabling features that invoke create_function with untrusted inputs.