Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Locutus: Create Function Allows Unrestricted Code Execution
GHSA-vh9h-29pq-r5m8
CVE-2026-32304
Summary
The create_function function in Locutus allows hackers to run any code without restrictions. This is a security risk if an attacker can provide malicious input to the function. To protect your system, consider removing the create_function function or replacing it with a safer alternative.
What to do
- Update locutus to version 3.0.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | locutus | <= 3.0.13 | 3.0.14 |
Original title
Locutus vulnerable to RCE via unsanitized input in create_function()
Original description
## Summary
The `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution.
This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x.
## Root Cause
`src/php/funchand/create_function.ts:17`:
```typescript
return new Function(...params, code)
```
Zero input validation on either parameter.
## PoC
```javascript
const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(rce());
// Output: uid=501(user) gid=20(staff) ...
```
Confirmed on locutus v3.0.11, Node.js v24.13.1.
## Impact
Full RCE when an attacker can control either argument to `create_function()`. 597K weekly npm downloads.
## Suggested Fix
Remove `create_function` or replace `new Function()` with a safe alternative. PHP itself deprecated `create_function()` in PHP 7.2 for the same reason.
## Response
Thanks for the report.
We confirmed that `php/funchand/create_function` was still present through `[email protected]` and that it exposed dynamic code execution via `new Function(...)`.
While this was intended behavior, `create_function()` inherently needs to be unsafe in order for it to work, `create_function()` was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus' parity target today is 8.3, this function shouldn't have been in Locutus at all anymore.
We fixed this in `[email protected]` by removing `php/funchand/create_function` entirely. That matches our PHP 8.3 parity target more closely: .
We also updated `php/var/var_export` so closures now export using the PHP 8-style `\Closure::__set_state(array(...))` form instead of referencing the removed API.
Release:
- npm: `[email protected]`
- GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Credit to @ByamB4 for the report.
The `create_function(args, code)` function passes both parameters directly to the `Function` constructor without any sanitization, allowing arbitrary code execution.
This is distinct from CVE-2026-29091 (GHSA-fp25-p6mj-qqg6) which was `call_user_func_array` using `eval()` in v2.x. This finding affects `create_function` using `new Function()` in v3.x.
## Root Cause
`src/php/funchand/create_function.ts:17`:
```typescript
return new Function(...params, code)
```
Zero input validation on either parameter.
## PoC
```javascript
const { create_function } = require('locutus/php/funchand/create_function');
const rce = create_function('', 'return require("child_process").execSync("id").toString()');
console.log(rce());
// Output: uid=501(user) gid=20(staff) ...
```
Confirmed on locutus v3.0.11, Node.js v24.13.1.
## Impact
Full RCE when an attacker can control either argument to `create_function()`. 597K weekly npm downloads.
## Suggested Fix
Remove `create_function` or replace `new Function()` with a safe alternative. PHP itself deprecated `create_function()` in PHP 7.2 for the same reason.
## Response
Thanks for the report.
We confirmed that `php/funchand/create_function` was still present through `[email protected]` and that it exposed dynamic code execution via `new Function(...)`.
While this was intended behavior, `create_function()` inherently needs to be unsafe in order for it to work, `create_function()` was deprecated in PHP 7.2 and removed in PHP 8.0. Given that Locutus' parity target today is 8.3, this function shouldn't have been in Locutus at all anymore.
We fixed this in `[email protected]` by removing `php/funchand/create_function` entirely. That matches our PHP 8.3 parity target more closely: .
We also updated `php/var/var_export` so closures now export using the PHP 8-style `\Closure::__set_state(array(...))` form instead of referencing the removed API.
Release:
- npm: `[email protected]`
- GitHub release: https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Credit to @ByamB4 for the report.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-94
Code Injection
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026