Skip to main content

math-codegen CVE-2026-41507

| EUVDEUVD-2026-28597 CRITICAL
Code Injection (CWE-94)
2026-05-08 security-advisories@github.com GHSA-p6x5-p4xf-cc4r
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 14:32 vuln.today
Analysis Generated
May 08, 2026 - 14:32 vuln.today
CVE Published
May 08, 2026 - 14:16 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 npm packages depend on math-codegen (2 direct, 14 indirect)

Ecosystem-wide dependent count for version 0.4.3.

DescriptionGitHub Advisory

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

AnalysisAI

Remote code execution in math-codegen npm package versions prior to 0.4.3 allows unauthenticated attackers to execute arbitrary system commands via string literal injection into the cg.parse() function. The vulnerability stems from unsanitized string literals being injected directly into new Function() bodies, enabling full command execution on any application exposing math evaluation endpoints that process user input. EPSS score not available, but this is a critical unauthenticated RCE requiring no special conditions beyond user input reaching the vulnerable parser. Vendor-released patch available in version 0.4.3.

Technical ContextAI

math-codegen is an npm library that generates executable JavaScript code from mathematical expressions. The vulnerability (CWE-94: Improper Control of Generation of Code / Code Injection) occurs in the code generation pipeline where string literals passed through cg.parse() are concatenated directly into dynamically constructed Function() bodies without escaping. The commit diff shows the fix replaced unsafe string concatenation (e.g., 'scope["' + node.name + '"]') with JSON.stringify() across multiple node handlers (ConstantNode.js, SymbolNode.js, AssignmentNode.js, FunctionNode.js). This ensures user-controlled strings are properly escaped and treated as data rather than executable code. The vulnerability affects the core parsing and code generation mechanism, meaning any mathematical expression containing attacker-controlled string literals can break out of the intended context and inject arbitrary JavaScript that executes with the privileges of the Node.js process.

RemediationAI

Upgrade math-codegen to version 0.4.3 or later immediately. The fix is implemented in commit 4bb52d3030683362b3559ee8dd91350555a05f6b and merged via pull request #11, which replaces unsafe string concatenation with JSON.stringify() across all code generation nodes. Update package.json to specify "math-codegen": "^0.4.3" and run npm update. Verify the upgrade with npm list math-codegen. Full advisory and patch details available at https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r. As a temporary workaround if immediate upgrading is not possible, implement strict input sanitization to reject or escape any string literals before passing to cg.parse(), though this is difficult to implement correctly and not recommended as a long-term solution. Alternatively, disable or restrict access to any endpoints that expose math evaluation functionality until patching is complete. For defense in depth, run the Node.js process with minimal privileges and consider sandboxing techniques, though these do not eliminate the vulnerability.

Share

CVE-2026-41507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy