CVE-2026-40897 PUBLISHED

Math.js: Unsafe object property setter in mathjs

Assigner: GitHub_M
Reserved: 15.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	josdejong
Product	mathjs
Versions	Version >= 13.1.1, < 15.2.0 is affected

References

https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5
https://github.com/josdejong/mathjs/pull/3656
https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad

Problem Types

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE