Description
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g
X_Refsource_Misc x_refsource_misc
https://github.com/josdejong/mathjs/pull/3656
X_Refsource_Misc x_refsource_misc
https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4
X_Refsource_Misc x_refsource_misc
https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611
X_Refsource_Misc x_refsource_misc
https://github.com/josdejong/mathjs/releases/tag/v15.2.0
Scores
CVSS v3
8.8
EPSS
0.0006
EPSS Percentile
19.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-915
Status
published
Products (3)
josdejong/mathjs
>= 13.1.0, < 15.2.0
mathjs/mathjs
13.1.0 - 15.2.0
npm/mathjs
13.1.0 - 15.2.0npm
Published
May 07, 2026
Tracked Since
May 07, 2026