DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40897: CVE-2026-40897: Remote Code Execution via Array Property Modification in mathjs

#security #cve #cybersecurity

CVE-2026-40897: Remote Code Execution via Array Property Modification in mathjs

Vulnerability ID: CVE-2026-40897
CVSS Score: 8.8
Published: 2026-04-24

A critical vulnerability in the mathjs expression parser permits attackers to bypass sandbox restrictions. By exploiting an improperly controlled modification of dynamically-determined object attributes on Array instances, an attacker can leak the Function constructor and achieve unauthenticated remote code execution.

TL;DR

mathjs versions 13.1.1 through 15.1.x fail to sufficiently restrict property modification on Array instances. This allows attackers to overwrite internal array methods, bypass the sandbox, and execute arbitrary code.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-915
  • CVSS Score: 8.8
  • Attack Vector: Network
  • EPSS Score: 0.00082
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept

Affected Systems

  • Node.js applications using mathjs versions 13.1.1 through 15.1.x
  • Client-side web applications evaluating untrusted expressions with mathjs
  • Serverless functions exposing math.evaluate() via APIs
  • mathjs: >= 13.1.1, < 15.2.0 (Fixed in: 15.2.0)

Code Analysis

Commit: 513ab2a

Security fix for sandbox escape via array method hijacking

Mitigation Strategies

  • Upgrade mathjs to the patched version 15.2.0 or higher.
  • Implement strict input validation to block calls to internal functions like reviver.
  • Isolate expression evaluation workloads in restricted containers or Web Workers.

Remediation Steps:

  1. Audit project dependencies using npm audit or equivalent tools to identify vulnerable mathjs versions.
  2. Update the package.json to require mathjs@^15.2.0.
  3. Execute the test suite to verify no regressions in valid mathematical expressions.
  4. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-40897 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)