Skip to main content

Mathjs

3 CVEs product

Monthly

CVE-2026-41139 npm HIGH PATCH GHSA This Week

Remote code execution in Math.js expression parser allows authenticated attackers to execute arbitrary JavaScript code in versions 13.1.0 through 15.1.x. The vulnerability stems from unsafe property access controls (CWE-915) that can be exploited via crafted mathematical expressions. Patched in version 15.2.0 with comprehensive property access validation (commit bcf0da4, PR #3656). No active exploitation confirmed by CISA KEV, but public patch code reveals exploitable attack surface involving prototype pollution or unsafe property traversal. CVSS 8.8 with network vector and low complexity indicates high real-world risk for applications exposing Math.js parsing to user input.

Node.js Information Disclosure Mathjs
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2020-7743 npm HIGH POC PATCH This Week

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Mathjs
NVD GitHub
CVSS 3.1
7.3
EPSS
3.9%
CVE-2017-1001003 npm CRITICAL PATCH Act Now

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mathjs
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Math.js expression parser allows authenticated attackers to execute arbitrary JavaScript code in versions 13.1.0 through 15.1.x. The vulnerability stems from unsafe property access controls (CWE-915) that can be exploited via crafted mathematical expressions. Patched in version 15.2.0 with comprehensive property access validation (commit bcf0da4, PR #3656). No active exploitation confirmed by CISA KEV, but public patch code reveals exploitable attack surface involving prototype pollution or unsafe property traversal. CVSS 8.8 with network vector and low complexity indicates high real-world risk for applications exposing Math.js parsing to user input.

Node.js Information Disclosure Mathjs
NVD GitHub
EPSS 4% CVSS 7.3
HIGH POC PATCH This Week

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Mathjs
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mathjs
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy