Description
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
Published: 2026-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsafe array index getter in math.js exposes the expression parser to arbitrary JavaScript execution. The vulnerability allows a malicious user to inject crafted expressions that are evaluated by the library, leading to execution of arbitrary code within the context of the application — a classic remote code execution flaw. This weakness is classified as CWE‑915 and carries a CVSS score of 8.8, indicating a high severity.

Affected Systems

The flaw affects the math.js library in versions 13.1.0 through the final release preceding 15.2.0, maintained by josdejong. Applications depending on any of those releases are susceptible; upgrading to version 15.2.0 or later eliminates the issue.

Risk and Exploitability

Without the official patch, the EPSS score is unavailable, so the probability of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger it by injecting malicious content into any input that is processed by math.js’s expression parser. Consuming user‑supplied expressions without validation or with insufficient sandboxing permits the attacker to run arbitrary JavaScript code on the host where the library executes.

Generated by OpenCVE AI on May 7, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the math.js dependency to version 15.2.0 or later, which contains the applied fix.
  • Review all code paths that pass user input to the math.js parser and ensure such input is either completely sanitized or rejected before parsing.
  • If an immediate upgrade is not possible, restrict the use of the parser to trusted, hard‑coded expressions only and avoid evaluating expressions derived from untrusted data.

Generated by OpenCVE AI on May 7, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvff-x2qm-6286 mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
History

Thu, 07 May 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Josdejong
Josdejong mathjs
Vendors & Products Josdejong
Josdejong mathjs

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
Title Unsafe array index getter in mathjs
Weaknesses CWE-915
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Josdejong Mathjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:41:40.987Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41139

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T06:16:04.273

Modified: 2026-05-07T06:16:04.273

Link: CVE-2026-41139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T07:45:15Z

Weaknesses