DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JVFF-X2QM-6286: GHSA-jvff-x2qm-6286: Arbitrary JavaScript Execution via Sandbox Bypass in mathjs

#security #cve #cybersecurity #ghsa

GHSA-jvff-x2qm-6286: Arbitrary JavaScript Execution via Sandbox Bypass in mathjs

Vulnerability ID: GHSA-JVFF-X2QM-6286
CVSS Score: 8.8
Published: 2026-04-10

The mathjs library prior to version 15.2.0 contains critical vulnerabilities in its expression parser sandbox. An attacker can leverage improper property validation and type confusion to execute arbitrary JavaScript within the host environment. The issue stems from lenient array property validation and inadequate type checking on the index parameter during dimension evaluation.

TL;DR

A sandbox bypass in mathjs < 15.2.0 allows low-privileged attackers to execute arbitrary JavaScript code via crafted expressions. The flaws involve array method shadowing and type confusion, resulting in a CVSS score of 8.8. Immediate upgrade to version 15.2.0 is required.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-915
  • Attack Vector: Network
  • CVSS Base Score: 8.8
  • Impact: Remote Code Execution
  • Exploit Status: Proof of Concept
  • Remediation: Patch Available

Affected Systems

  • mathjs npm package (< 15.2.0)
  • Node.js server applications evaluating untrusted input via mathjs
  • Client-side web applications exposing mathjs evaluation to users
  • mathjs: < 15.2.0 (Fixed in: 15.2.0)

Code Analysis

Commit: 0aee2f6

Fix for sandbox bypass vulnerabilities via array method shadowing and type confusion.

Exploit Details

Mitigation Strategies

  • Upgrade mathjs to version 15.2.0 or later.
  • Implement strict input validation on the server side to reject expressions containing known payload signatures (e.g., reviver, constructor).
  • Monitor application logs for anomalous evaluation errors originating from the mathjs parser.

Remediation Steps:

  1. Identify all projects utilizing the mathjs package.
  2. Update the mathjs version constraint in package.json to '>= 15.2.0'.
  3. Execute 'npm install' or 'yarn install' to update the lockfile.
  4. Run unit and integration tests to ensure compatibility with version 15.2.0.
  5. Deploy the updated application to production environments.

References

Read the full report for GHSA-JVFF-X2QM-6286 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)