Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 16 npm packages depend on math-codegen (2 direct, 14 indirect)
Ecosystem-wide dependent count for version 0.4.3.
DescriptionGitHub Advisory
math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.
AnalysisAI
Remote code execution in math-codegen npm package versions prior to 0.4.3 allows unauthenticated attackers to execute arbitrary system commands via string literal injection into the cg.parse() function. The vulnerability stems from unsanitized string literals being injected directly into new Function() bodies, enabling full command execution on any application exposing math evaluation endpoints that process user input. EPSS score not available, but this is a critical unauthenticated RCE requiring no special conditions beyond user input reaching the vulnerable parser. Vendor-released patch available in version 0.4.3.
Technical ContextAI
math-codegen is an npm library that generates executable JavaScript code from mathematical expressions. The vulnerability (CWE-94: Improper Control of Generation of Code / Code Injection) occurs in the code generation pipeline where string literals passed through cg.parse() are concatenated directly into dynamically constructed Function() bodies without escaping. The commit diff shows the fix replaced unsafe string concatenation (e.g., 'scope["' + node.name + '"]') with JSON.stringify() across multiple node handlers (ConstantNode.js, SymbolNode.js, AssignmentNode.js, FunctionNode.js). This ensures user-controlled strings are properly escaped and treated as data rather than executable code. The vulnerability affects the core parsing and code generation mechanism, meaning any mathematical expression containing attacker-controlled string literals can break out of the intended context and inject arbitrary JavaScript that executes with the privileges of the Node.js process.
RemediationAI
Upgrade math-codegen to version 0.4.3 or later immediately. The fix is implemented in commit 4bb52d3030683362b3559ee8dd91350555a05f6b and merged via pull request #11, which replaces unsafe string concatenation with JSON.stringify() across all code generation nodes. Update package.json to specify "math-codegen": "^0.4.3" and run npm update. Verify the upgrade with npm list math-codegen. Full advisory and patch details available at https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r. As a temporary workaround if immediate upgrading is not possible, implement strict input sanitization to reject or escape any string literals before passing to cg.parse(), though this is difficult to implement correctly and not recommended as a long-term solution. Alternatively, disable or restrict access to any endpoints that expose math evaluation functionality until patching is complete. For defense in depth, run the Node.js process with minimal privileges and consider sandboxing techniques, though these do not eliminate the vulnerability.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28597
GHSA-p6x5-p4xf-cc4r