CVE-2026-41139
Arbitrary Code Execution in Math.js Library
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| josdejong | mathjs | From 13.1.0 (inc) to 15.2.0 (exc) |
| josdejong | mathjs | 15.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows attackers to execute arbitrary JavaScript code remotely without user interaction, with low complexity and low required privileges.
- Confidentiality: Attackers can access sensitive data by executing malicious scripts.
- Integrity: Attackers can modify data or application behavior by injecting code.
- Availability: The system or application could be disrupted or crashed by malicious code.
Can you explain this vulnerability to me?
CVE-2026-41139 is a vulnerability in the mathjs library versions 13.1.0 to before 15.2.0 that allows arbitrary JavaScript code execution via the expression parser. This happens because of an unsafe array index getter introduced in version 13.1.0, which lets attackers execute malicious code when untrusted input is evaluated.
The issue was fixed by adding validation to ensure that array indices used in the .get() methods are strictly arrays and by improving the internal setSafeProperty function to restrict property setting on arrays to only numeric indices or the length property. These changes prevent unauthorized modification of object attributes and mitigate the risk of arbitrary code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary JavaScript execution via the mathjs expression parser in versions 13.1.0 to before 15.2.0. Detection would primarily involve identifying usage of vulnerable mathjs versions or attempts to evaluate untrusted input through the expression parser.
Since the vulnerability is in a JavaScript library, detection on a network or system would focus on verifying the installed mathjs version and monitoring for suspicious expression evaluations.
Suggested commands to detect vulnerable versions on your system might include:
- Check installed mathjs version in your project: `npm list mathjs` or `yarn list mathjs`
- Search for usage of mathjs expression parser in code to identify if untrusted input is evaluated.
- Monitor logs or application behavior for unexpected JavaScript execution or errors related to mathjs expression parsing.
No specific detection commands or signatures for exploit attempts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and only effective mitigation step is to upgrade mathjs to version 15.2.0 or later, where the vulnerability has been patched.
No workarounds or alternative mitigations exist other than upgrading.
The fix includes validation of array indices and improved safety checks in the expression parser to prevent arbitrary JavaScript execution.
Ensure that untrusted input is not evaluated by the mathjs expression parser until the upgrade is applied.