Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
The create_function(args, code) function passes both its parameters directly to the JavaScript Function() constructor without any sanitization. An attacker can supply crafted data as function arguments, resulting in dynamic creation and execution of arbitrary JavaScript code. This is a separate vulnerability from CVE-2026-29091, which affected the call_user_func_array function using eval() in the v2.x branch — this issue concerns the create_function function using new Function() in the v3.x branch.
An attacker can execute arbitrary code on the server or client side in the context of an application using the Locutus library, which may lead to complete system compromise, sensitive data leakage, or violation of application integrity.
Update the Locutus library to version 3.0.14 or later, in which the vulnerability has been fixed. Details are available in the vendor references: https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Locutus versions before 3.0.14 (v3.x branch)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLocutus
APPLocutus< 3.0.14
Related vulnerabilities
Prototype pollution w bibliotece Locutus (JavaScript stdlibs)
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str ...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in vers...