Remote Code Execution (RCE) via String Literal Injection into math-codegen
GHSA-p6x5-p4xf-cc4r · CVE-2026-41507
Published · Modified
Description
Impact
String literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE.
Patches
The vulnerability is addressed by using JSON.stringify() on string literal values in lib/node/ConstantNode.js to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.
Workarounds
Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.
References
- WEB https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41507
- WEB https://github.com/mauriciopoppe/math-codegen/pull/11
- WEB https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b
- WEB https://github.com/hits3134
- PACKAGE https://github.com/mauriciopoppe/math-codegen
Ready to move
Start Securing
Free, no credit card | First findings in minutes