CVE-2026-32304

| EUVD-2026-11718 CRITICAL
2026-03-13 https://github.com/locutusjs/locutus GHSA-vh9h-29pq-r5m8
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 16, 2026 - 14:54 vuln.today
Public exploit code
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11718
CVE Published
Mar 13, 2026 - 16:10 nvd
CRITICAL 9.8

Tags

Node.js RCE PHP Code Injection

Description

## Summary The `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x. ## Root Cause `src/php/funchand/create_function.ts:17`: ```typescript return new Function(...params, code) ``` Zero input validation on either parameter. ## PoC ```javascript const { create_function } = require('locutus/php/funchand/create_function'); const rce = create_function('', 'return require("child_process").execSync("id").toString()'); console.log(rce()); // Output: uid=501(user) gid=20(staff) ... ``` Confirmed on locutus v3.0.11, Node.js v24.13.1. ## Impact Full RCE when an attacker can control either argument to `create_function()`. 597K weekly npm downloads. ## Suggested Fix Remove `create_function` or replace `new Function()` with a safe alternative. PHP itself deprecated `create_function()` in PHP 7.2 for the same reason. ## Response Thanks for the report. We confirmed that `php/funchand/create_function` was still present through `[email protected]` and that it exposed dynamic code execution via `new Function(...)`. While this was intended behavior, `create_function()` inherently needs to be unsafe in order for it to work, `create_function()` was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus' parity target today is 8.3, this function shouldn't have been in Locutus at all anymore. We fixed this in `[email protected]` by removing `php/funchand/create_function` entirely. That matches our PHP 8.3 parity target more closely: . We also updated `php/var/var_export` so closures now export using the PHP 8-style `\Closure::__set_state(array(...))` form instead of referencing the removed API. Release: - npm: `[email protected]` - GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14 Credit to @ByamB4 for the report.

Analysis

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all applications and dependencies using locutus versions < 3.0.14 through supply chain scanning; isolate affected systems from production traffic if feasible. Within 7 days: Implement network segmentation, disable the create_function() method if possible, and deploy WAF rules to detect exploitation attempts; begin code review for alternative packages. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

69
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: +20

Share

CVE-2026-32304 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy