Plateforme
nodejs
Composant
locutus
Corrigé dans
3.0.15
3.0.14
CVE-2026-32304 describes a Remote Code Execution (RCE) vulnerability within the Locutus PHP library. This flaw stems from insufficient input validation within the create_function function, enabling attackers to execute arbitrary code. The vulnerability impacts versions of Locutus prior to 3.0.14 and requires immediate attention to prevent potential exploitation. A fix has been released in version 3.0.14.
The impact of CVE-2026-32304 is severe due to its RCE nature. An attacker can leverage this vulnerability to execute arbitrary code on the server hosting the Locutus library, potentially gaining complete control of the system. This could lead to data breaches, malware installation, denial of service, or further exploitation of other vulnerabilities within the application. The lack of sanitization on both parameters passed to the Function constructor makes exploitation relatively straightforward, increasing the likelihood of successful attacks. This vulnerability shares similarities with other code execution flaws where improper input validation allows for malicious code injection.
CVE-2026-32304 is currently not listed on the CISA KEV catalog. The EPSS score is likely to be high given the RCE nature and the availability of a public proof-of-concept. A public proof-of-concept (PoC) has been released, demonstrating the ease of exploitation. The vulnerability was publicly disclosed on March 13, 2026, indicating a relatively short timeframe between discovery and public awareness.
Applications and systems utilizing the Locutus PHP library, particularly those that dynamically generate code using createfunction without proper input validation, are at significant risk. This includes Node.js applications that incorporate Locutus and expose endpoints where user-supplied data could influence the code executed by createfunction. Shared hosting environments that bundle Locutus are also vulnerable if they haven't been updated.
• nodejs:
ps aux | grep 'create_function' && cat /var/log/nodejs/error.log | grep 'create_function'• generic web:
curl -I <affected_url> | grep 'create_function'• generic web:
grep -r 'create_function' /var/log/apache2/access.logdisclosure
poc
patch
Statut de l'Exploit
EPSS
0.10% (percentile 28%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-32304 is to immediately upgrade to Locutus version 3.0.14 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While direct input validation within the createfunction is difficult without modifying the library, restricting access to the function and its parameters through application-level controls can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block suspicious code execution attempts targeting the createfunction function may provide an additional layer of defense. Monitor system logs for unusual activity related to the create_function function. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known payload and verifying that it is no longer exploitable.
Actualice la biblioteca Locutus a la versión 3.0.14 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código al sanitizar la entrada en la función create_function(). La actualización evitará la ejecución de código arbitrario a través de entradas no seguras.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-32304 is a critical RCE vulnerability in the Locutus PHP library where the create_function function lacks input sanitization, allowing attackers to execute arbitrary code.
You are affected if you are using Locutus PHP library versions prior to 3.0.14 and have not applied the security patch.
Upgrade to Locutus version 3.0.14 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the create_function function.
While active exploitation is not confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Locutus project's official advisory channels for the latest information and updates regarding CVE-2026-32304.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.