CVE-2026-41507 Overview
CVE-2026-41507 is a code injection vulnerability in math-codegen, a Node.js library by Mauriciopoppe that generates JavaScript code from mathematical expressions. Versions prior to 0.4.3 inject string literal content from cg.parse() directly into a new Function() body without sanitization. Any application that forwards user-controlled input to the parser is exposed to remote code execution (RCE). The maintainer addressed the issue in version 0.4.3 by serializing inputs with JSON.stringify() and validating the factory option against a strict identifier pattern. The flaw is tracked under CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers reaching a vulnerable math evaluation endpoint can execute arbitrary system commands in the Node.js process context.
Affected Products
- mauriciopoppe/math-codegen versions prior to 0.4.3
- Node.js applications exposing cg.parse() to user-controlled input
- Web services using math-codegen for expression evaluation endpoints
Discovery Timeline
- 2026-05-08 - CVE-2026-41507 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41507
Vulnerability Analysis
The math-codegen library converts mathematical expressions into executable JavaScript by constructing a function body and instantiating it via new Function(). The code generator embeds the user-supplied expression string into the generated source using naive string concatenation. String literals such as "foo" are placed verbatim between single quotes in the output, so an input containing a closing quote followed by JavaScript statements terminates the literal and injects attacker-controlled code into the function body.
When the generated function executes, the injected payload runs with the privileges of the Node.js process. An attacker can invoke require('child_process').execSync() or similar APIs to execute arbitrary shell commands, read sensitive files, or pivot inside the host environment.
Root Cause
The defect originates in lib/CodeGenerator.js, which built the generated module using the expression " code: '" + code + "'". This produces unsafe source whenever code contains a single quote or newline. A secondary issue in lib/Interpreter.js accepted an arbitrary factory option that flowed into generated code without validation, providing another injection sink.
Attack Vector
Exploitation requires only that user input reach cg.parse(). The attacker submits an expression string crafted to break out of the embedded literal and append JavaScript statements. No authentication, user interaction, or local access is required when the endpoint is exposed over the network.
// Security patch in lib/CodeGenerator.js (commit 4bb52d3)
' $$processScope(scope)',
' ' + code,
' },',
- " code: '" + code + "'",
+ ' code: ' + JSON.stringify(code),
'}'
].join('\n')
Source: GitHub Commit 4bb52d3
The fix replaces unsafe concatenation with JSON.stringify(), which produces a properly escaped JavaScript string literal regardless of input content.
// Security patch in lib/Interpreter.js (commit 4bb52d3)
const factory = this.options.factory
if (typeof factory !== 'string' || !/^[a-zA-Z_$][a-zA-Z0-9_$]*(\.[a-zA-Z_$][a-zA-Z0-9_$]*)*$/.test(factory)) {
throw new Error('factory must be a valid JS property access path (e.g. "ns.factory")')
}
Source: GitHub Commit 4bb52d3
The patch additionally enforces that the factory option matches a valid JavaScript property access path, blocking injection through that vector.
Detection Methods for CVE-2026-41507
Indicators of Compromise
- Unexpected child processes (sh, bash, cmd.exe, powershell.exe) spawned by the Node.js application
- Outbound network connections from the Node.js process to attacker infrastructure following math expression submissions
- HTTP request bodies containing single quotes, backslashes, or JavaScript keywords (require, process, function) in fields that feed math evaluation endpoints
Detection Strategies
- Inventory dependencies with npm ls math-codegen and flag any version below 0.4.3
- Use software composition analysis (SCA) tooling to identify direct and transitive uses of mauriciopoppe/math-codegen
- Add WAF rules that reject expression inputs containing quote characters, semicolons, or known RCE primitives
Monitoring Recommendations
- Audit application logs for parse errors or anomalous expression payloads sent to math endpoints
- Monitor process trees for the Node.js runtime spawning unexpected interpreters or system binaries
- Alert on Node.js processes initiating outbound connections to unfamiliar IPs or domains
How to Mitigate CVE-2026-41507
Immediate Actions Required
- Upgrade math-codegen to version 0.4.3 or later across all affected services
- Review application code for any path where untrusted input reaches cg.parse() and add server-side validation
- Restrict the runtime privileges of the Node.js process so a successful RCE has limited blast radius
Patch Information
The maintainer released the fix in commit 4bb52d3 shipped as version 0.4.3. Full advisory details are available in the GitHub Security Advisory GHSA-p6x5-p4xf-cc4r and Pull Request #11.
Workarounds
- Validate user-supplied expressions against a strict allowlist of mathematical characters before invoking cg.parse()
- Wrap math evaluation in an isolated worker with the vm2 sandbox or a separate process with seccomp restrictions
- Disable or remove any HTTP endpoint that exposes cg.parse() to unauthenticated callers until patching completes
# Upgrade math-codegen to the patched release
npm install math-codegen@^0.4.3
# Verify the installed version
npm ls math-codegen
# Audit the dependency tree for vulnerable advisories
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
