Description
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
Published: 2026-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsafe array index getter in math.js exposes the expression parser to arbitrary JavaScript execution. The vulnerability allows a malicious user to inject crafted expressions that are evaluated by the library, leading to execution of arbitrary code within the context of the application — a classic remote code execution flaw. This weakness is classified as CWE‑915 and CWE‑94 and carries a CVSS score of 8.8, indicating a high severity.

Affected Systems

The flaw affects the math.js library in versions 13.1.0 through the final release preceding 15.2.0, maintained by josdejong. Applications depending on any of those releases are susceptible; upgrading to version 15.2.0 or later eliminates the issue.

Risk and Exploitability

Without the official patch, the EPSS score is <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger it by injecting malicious content into any input that is processed by math.js’s expression parser. Consuming user‑supplied expressions without validation or with insufficient sandboxing permits the attacker to run arbitrary JavaScript code on the host where the library executes.

Generated by OpenCVE AI on May 8, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the math.js dependency to version 15.2.0 or later, which contains the applied fix.
  • Review all code paths that pass user input to the math.js parser and ensure such input is either completely sanitized or rejected before parsing.
  • If an immediate upgrade is not possible, restrict the use of the parser to trusted, hard‑coded expressions only and avoid evaluating expressions derived from untrusted data.

Generated by OpenCVE AI on May 8, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvff-x2qm-6286 mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
History

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mathjs
Mathjs mathjs
CPEs cpe:2.3:a:mathjs:mathjs:*:*:*:*:*:node.js:*:*
Vendors & Products Mathjs
Mathjs mathjs

Fri, 08 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Josdejong
Josdejong mathjs
Vendors & Products Josdejong
Josdejong mathjs

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
Title Unsafe array index getter in mathjs
Weaknesses CWE-915
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Josdejong Mathjs
Mathjs Mathjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:41:40.987Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41139

cve-icon Vulnrichment

Updated: 2026-05-07T13:41:15.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T06:16:04.273

Modified: 2026-05-08T17:06:03.997

Link: CVE-2026-41139

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T05:06:28Z

Links: CVE-2026-41139 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T02:00:06Z

Weaknesses