Applications using the Locutus library are at risk of arbitrary code execution if they pass user-controlled data to the vulnerable create_function utility.

In version 3.x, the create_function(args, code) utility directly passes its parameters to the new Function() constructor without any sanitization. This allows an unauthenticated attacker to inject and execute arbitrary JavaScript code if the application uses this function with external input.

With a CVSS score of 9.8, this vulnerability allows for remote code execution in the context of the application using the library. If used in a server-side Node.js environment, this could lead to a full server compromise. In a client-side environment, it could lead to widespread Cross-Site Scripting (XSS) and data theft.

Immediate Action: Update the Locutus library to version 3.0.14 or later, where the dangerous use of the Function constructor has been addressed.

Proactive Monitoring: Audit source code to identify any instances where create_function is called using data derived from user input (e.g., URL parameters, form fields).

Compensating Controls: Implement a strict Content Security Policy (CSP) to disallow unsafe-eval, which can prevent the execution of code generated via the Function constructor.

Public Exploit Available: false

Developers using Locutus must immediately update to version 3.0.14. Beyond patching, it is strongly recommended to avoid using functions that dynamically generate code from strings, as these are inherently difficult to secure. Prioritize this update to prevent potential RCE or high-impact XSS attacks.