A high-severity vulnerability (CVE-2026-41139) in the popular mathjs JavaScript library allows remote attackers to execute arbitrary JavaScript code through the expression parser, affecting all versions from 13.1.0 up to 15.2.0.
Organizations and developers using Math.js in user-facing applications are urged to upgrade immediately to version 15.2.0, which has been patched. Math.js is a widely used, extensive math library for JavaScript and Node.js, designed to parse and evaluate complex mathematical expressions in web and server-side applications.
The newly disclosed vulnerability, tracked as CVE-2026-41139 and published under GitHub Security Advisory GHSA-5v89-rwgr-qj6g, stems from an unsafe array index getter in the library’s expression parser. The flaw was first introduced in Math.js v13.1.0 and persisted undetected across multiple releases until it was reported and patched in v15.2.0.
CVE-2026-41139: mathjs RCE Vulnerability
The vulnerability was officially published by repository maintainer Jos de Jong (josdejong) on April 17, 2026. Notably, this advisory is a resubmission of a previously closed advisory (GHSA-jvff-x2qm-6286) that was mistakenly closed before the fix was finalized.
At its core, CVE-2026-41139 is rooted in CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes. This weakness occurs when an application receives user-supplied input specifying object attributes to be modified, but fails to restrict which attributes are accessible or mutable properly.
In Math.js specifically, the vulnerability lies in the unsafe array-index-getter within the expression parser engine. When a user passes a crafted mathematical expression to the parser, the flaw allows the expression to interact with internal JavaScript object attributes that should be off-limits.
By exploiting this boundary, an attacker can escape the intended mathematical evaluation sandbox and execute arbitrary JavaScript code within the host application’s runtime environment.
The CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a CVSS base score of 8.8 (High). The attack vector is Network, the attack complexity is Low, and only low-level privileges are required, meaning any authenticated user of an application that exposes the Math.js parser could trigger the exploit without user interaction.
The confidentiality, integrity, and availability impacts are all rated High, underscoring the potential for complete system compromise.
Any application or platform that exposes the Math.js expression parser to user-supplied input is directly vulnerable. This is particularly relevant for:
- Online calculators and scientific web tools built with Math.js
- Educational platforms that allow students to input and evaluate mathematical expressions
- Data visualization dashboards using Math.js for dynamic formula evaluation
- Node.js backend services where user-defined expressions are parsed server-side
- APIs that accept mathematical expressions as input parameters
The vulnerability is remotely exploitable over the network with low complexity, making it a high-priority target for threat actors who can scan for exposed applications running unpatched versions. Given that npm is the primary distribution channel for Math.js, any project listing mathjs >= 13.1.0 < 15.2.0 in its package.json is affected.
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-41139 |
| Advisory | GHSA-5v89-rwgr-qj6g |
| Severity | High (CVSS 8.8) |
| Affected Versions | >= 13.1.0, < 15.2.0 |
| Patched Version | 15.2.0 |
| Attack Vector | Network |
| Privileges Required | Low |
| CWE | CWE-915 |
| Published | April 17, 2026 |
Patch and Mitigation
The fix was implemented through Pull Request #3656 in the official mathjs GitHub repository. Two specific commits address the vulnerability:
- Commit
0aee2f61866e35ffa0aef915221cdf6b026ffdd4 - Commit
bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611
These commits tighten the array-index-getter logic in the expression parser, ensuring that attribute access is properly sandboxed and that user-supplied indices cannot be used to access internal JavaScript object properties.
The patched release, mathjs v15.2.0, was made available on npm and through the official GitHub releases page. Importantly, the maintainers confirmed that there is no available workaround for this vulnerability; upgrading to v15.2.0 is the only remediation path.
Developers and security teams should act on the following steps immediately:
- Upgrade Math.js to version 15.2.0 or later via npm:
npm install mathjs@latest - Audit your codebase to identify all locations where
math.evaluate()or similar expression parser APIs are called with user-controlled input - Review application logs for anomalous or unexpected expression inputs that may indicate prior exploitation attempts
- Sanitize and validate user input passed to any mathematical expression parser as a defense-in-depth measure
- Run dependency scanning tools (e.g.,
npm audit, Snyk, or Dependabot) to catch this and similar transitive dependency vulnerabilities across your project tree.
FAQ
Q1: What versions of Math.js are affected by CVE-2026-41139?
All versions from 13.1.0 up to (but not including) 15.2.0 are affected, and the only fix is upgrading to version 15.2.0 or later.
Q2: Can this vulnerability be exploited without admin privileges?
Yes, the attack requires only low-level privileges (e.g., a regular authenticated user), making it significantly easier to exploit in multi-user applications.
Q3: Is there a workaround available if upgrading immediately isn’t possible?
No, the official advisory confirms there is no workaround, and upgrading to Math.js v15.2.0 is the only remediation.
Q4: What type of damage can an attacker cause by exploiting this flaw?
A successful exploit can lead to full compromise of confidentiality, integrity, and availability, including arbitrary JavaScript execution, data exfiltration, and potential server-side takeover.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
