Threat Advisory

Mathjs Vulnerability Exploits Expression Parser

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-40897 with a CVSS score of 8.8 is a vulnerability in the mathjs package, specifically in the expression parser, allowing an attacker to execute arbitrary JavaScript code. The affected software includes mathjs versions 13.1.1 through 15.2.0. An attacker can exploit this vulnerability by manipulating user-input expressions, which are then evaluated by the mathjs parser, thereby allowing them to inject malicious JavaScript code. This capability enables an attacker to potentially access sensitive data, execute unauthorized actions, or escalate privileges within the application. If exploited, this vulnerability could have significant business impacts, including data exfiltration, unauthorized access, or disruption of critical business processes. To exploit this vulnerability, an attacker requires access to a system where users can evaluate arbitrary expressions using the mathjs expression parser, and the application uses a vulnerable version of mathjs.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-40897 with a CVSS score of 8.8 is a vulnerability in the mathjs package, specifically in the expression parser, allowing an attacker to execute arbitrary JavaScript code. The affected software includes mathjs versions 13.1.1 through 15.2.0. An attacker can exploit this vulnerability by manipulating user-input expressions, which are then evaluated by the mathjs parser, thereby allowing them to inject malicious JavaScript code. This capability enables an attacker to potentially access sensitive data, execute unauthorized actions, or escalate privileges within the application. If exploited, this vulnerability could have significant business impacts, including data exfiltration, unauthorized access, or disruption of critical business processes. To exploit this vulnerability, an attacker requires access to a system where users can evaluate arbitrary expressions using the mathjs expression parser, and the application uses a vulnerable version of mathjs.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update mathjs to version 15.2.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-29qv-4j9f-fjw5

[/emaillocker]
crossmenu