Math.js, an extensive JavaScript and Node.js math library, contains a vulnerability that permits a malicious user to execute arbitrary JavaScript code through the expression parser. The flaw exists in versions between 13.1.1 and before 15.2.0. Exploiting this weakness allows an attacker to run code with the privileges of the hosting process, potentially compromising the entire application or system. The vulnerability is identified as CWE‑915, reflecting the use of unsafe property setters that can be abused to inject code.

The affected product is Math.js, maintained by the josdejong project. Applications that integrate Math.js and expose the expression parser to remote or unauthenticated users are at risk. All releases from the 13.1.1 release up to, but not including, 15.2.0 are vulnerable. These versions are commonly bundled in Node.js applications, web services, or any Java runtime that imports the Math.js library. Applications using 15.2.0 or newer are no longer affected.

The CVSS score for this vulnerability is 8.8, indicating a high severity risk. The EPSS score is reported as <1%, suggesting a low probability of widespread exploitation at the moment, but the attack could be highly targeted. The vulnerability is not listed in CISA’s KEV catalog, yet it remains capable of remote code execution if an attacker can supply a crafted expression to the parser. The likely attack vector therefore involves any endpoint or user input that is parsed by Math.js’s expression evaluator. In environments where the library is invoked with data from untrusted sources, an attacker could inject malicious JavaScript, leading to possible compromise of the application, data exfiltration, or denial‑of‑service.