Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41507

CVE-2026-41507: Mauriciopoppe Math-codegen RCE Flaw

CVE-2026-41507 is a remote code execution vulnerability in Mauriciopoppe Math-codegen that allows attackers to execute arbitrary commands through unsanitized input. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-41507 Overview

CVE-2026-41507 is a code injection vulnerability in math-codegen, a Node.js library by Mauriciopoppe that generates JavaScript code from mathematical expressions. Versions prior to 0.4.3 inject string literal content from cg.parse() directly into a new Function() body without sanitization. Any application that forwards user-controlled input to the parser is exposed to remote code execution (RCE). The maintainer addressed the issue in version 0.4.3 by serializing inputs with JSON.stringify() and validating the factory option against a strict identifier pattern. The flaw is tracked under CWE-94: Improper Control of Generation of Code.

Critical Impact

Unauthenticated attackers reaching a vulnerable math evaluation endpoint can execute arbitrary system commands in the Node.js process context.

Affected Products

  • mauriciopoppe/math-codegen versions prior to 0.4.3
  • Node.js applications exposing cg.parse() to user-controlled input
  • Web services using math-codegen for expression evaluation endpoints

Discovery Timeline

  • 2026-05-08 - CVE-2026-41507 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-41507

Vulnerability Analysis

The math-codegen library converts mathematical expressions into executable JavaScript by constructing a function body and instantiating it via new Function(). The code generator embeds the user-supplied expression string into the generated source using naive string concatenation. String literals such as "foo" are placed verbatim between single quotes in the output, so an input containing a closing quote followed by JavaScript statements terminates the literal and injects attacker-controlled code into the function body.

When the generated function executes, the injected payload runs with the privileges of the Node.js process. An attacker can invoke require('child_process').execSync() or similar APIs to execute arbitrary shell commands, read sensitive files, or pivot inside the host environment.

Root Cause

The defect originates in lib/CodeGenerator.js, which built the generated module using the expression " code: '" + code + "'". This produces unsafe source whenever code contains a single quote or newline. A secondary issue in lib/Interpreter.js accepted an arbitrary factory option that flowed into generated code without validation, providing another injection sink.

Attack Vector

Exploitation requires only that user input reach cg.parse(). The attacker submits an expression string crafted to break out of the embedded literal and append JavaScript statements. No authentication, user interaction, or local access is required when the endpoint is exposed over the network.

javascript
// Security patch in lib/CodeGenerator.js (commit 4bb52d3)
     '    $$processScope(scope)',
     '    ' + code,
     '  },',
-    "  code: '" + code + "'",
+    '  code: ' + JSON.stringify(code),
     '}'
   ].join('\n')

Source: GitHub Commit 4bb52d3

The fix replaces unsafe concatenation with JSON.stringify(), which produces a properly escaped JavaScript string literal regardless of input content.

javascript
// Security patch in lib/Interpreter.js (commit 4bb52d3)
   const factory = this.options.factory
   if (typeof factory !== 'string' || !/^[a-zA-Z_$][a-zA-Z0-9_$]*(\.[a-zA-Z_$][a-zA-Z0-9_$]*)*$/.test(factory)) {
     throw new Error('factory must be a valid JS property access path (e.g. "ns.factory")')
   }

Source: GitHub Commit 4bb52d3

The patch additionally enforces that the factory option matches a valid JavaScript property access path, blocking injection through that vector.

Detection Methods for CVE-2026-41507

Indicators of Compromise

  • Unexpected child processes (sh, bash, cmd.exe, powershell.exe) spawned by the Node.js application
  • Outbound network connections from the Node.js process to attacker infrastructure following math expression submissions
  • HTTP request bodies containing single quotes, backslashes, or JavaScript keywords (require, process, function) in fields that feed math evaluation endpoints

Detection Strategies

  • Inventory dependencies with npm ls math-codegen and flag any version below 0.4.3
  • Use software composition analysis (SCA) tooling to identify direct and transitive uses of mauriciopoppe/math-codegen
  • Add WAF rules that reject expression inputs containing quote characters, semicolons, or known RCE primitives

Monitoring Recommendations

  • Audit application logs for parse errors or anomalous expression payloads sent to math endpoints
  • Monitor process trees for the Node.js runtime spawning unexpected interpreters or system binaries
  • Alert on Node.js processes initiating outbound connections to unfamiliar IPs or domains

How to Mitigate CVE-2026-41507

Immediate Actions Required

  • Upgrade math-codegen to version 0.4.3 or later across all affected services
  • Review application code for any path where untrusted input reaches cg.parse() and add server-side validation
  • Restrict the runtime privileges of the Node.js process so a successful RCE has limited blast radius

Patch Information

The maintainer released the fix in commit 4bb52d3 shipped as version 0.4.3. Full advisory details are available in the GitHub Security Advisory GHSA-p6x5-p4xf-cc4r and Pull Request #11.

Workarounds

  • Validate user-supplied expressions against a strict allowlist of mathematical characters before invoking cg.parse()
  • Wrap math evaluation in an isolated worker with the vm2 sandbox or a separate process with seccomp restrictions
  • Disable or remove any HTTP endpoint that exposes cg.parse() to unauthenticated callers until patching completes
bash
# Upgrade math-codegen to the patched release
npm install math-codegen@^0.4.3

# Verify the installed version
npm ls math-codegen

# Audit the dependency tree for vulnerable advisories
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.