What is CVE-2026-40897?

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be af...

How severe is CVE-2026-40897?

CVE-2026-40897 is rated high severity with a CVSS score of 8.8 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-40897?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What products are affected by CVE-2026-40897?

CVE-2026-40897 affects Mathjs Mathjs. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-40897?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Math.js parser RCE in expression eval (CVE-2026-40897) [PoC]

Vendor-confirmed - CVE-2026-40897 is a high-severity RCE in Math.js versions 13.1.1 through 15.1.0 that lets unauthenticated attackers execute arbitrary JavaScript on the server via the expression parser. Patched in 15.2.0 - update immediately.

Overview

CVE-2026-40897 affects the Math.js expression parser, a feature designed to evaluate mathematical expressions dynamically. An attacker who can submit arbitrary expressions to the parser can inject malicious JavaScript code, gaining the ability to execute system commands, read sensitive data, or manipulate server-side logic. The vulnerability exists because the parser does not properly sanitize user-supplied input during evaluation, allowing unexpected code paths to reach JavaScript execution functions.

This vulnerability receives a CVSS score of 8.8 (High) with a vector of AV:N/AC:L/PR:L/UI:N - meaning it can be exploited over the network with low complexity, requires only low privileges, and needs no user interaction. Any application that exposes the Math.js expression parser to user input is at risk.

Impact

An attacker exploiting CVE-2026-40897 achieves remote code execution (RCE) on the server hosting the vulnerable application. This can lead to complete server compromise, including data exfiltration, lateral movement within the network, and persistent access via backdoors. Unlike typical injection attacks that target operating system commands, this vulnerability uses JavaScript, the same language as the runtime, making detection more difficult for signature-based defenses.

Remediation

Update Math.js to version 15.2.0 or later immediately. The fix disables unsafe evaluation paths in the expression parser. If immediate patching is not possible, restrict access to the expression parser to trusted users only, and implement input validation to block suspicious expression patterns. Consider using a Web Application Firewall (WAF) to filter malicious expression payloads while you migrate.

Security Insight

This vulnerability belongs to the growing class of parser injections that target library-internal languages rather than operating system shells. Similar flaws exist in other evaluation engines such as Python’s eval(), Python’s exec(), and JavaScript’s Function() constructor. The Math.js team has addressed this by tightening the parser’s sandbox, but developers should treat any user-controllable expression parser as a high-risk attack surface and sandbox it separately from application logic. Data breach reports are available at breach reports. For more cybersecurity news, visit security news.

Math.js parser RCE in expression eval (CVE-2026-40897) [PoC]

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Never Miss a Critical Alert