Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Mathjs expression parser allows arbitrary JavaScript execution
GHSA-29qv-4j9f-fjw5
CVE-2026-40897
Summary
If users can input math expressions in your app, a bad actor could inject malicious code. This affects mathjs versions before 15.2.0. To stay safe, update to version 15.2.0 or later.
What to do
- Update josdejong mathjs to version 15.2.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | josdejong | mathjs |
>= 13.1.1, < 15.2.0 Fix: upgrade to 15.2.0
|
Original title
Unsafe object property setter in mathjs
Original description
### Impact
This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.
### Patches
The issue was introduced in mathjs `v13.1.1`, and patched in mathjs `v15.2.0`.
### Workarounds
There is no workaround without upgrading to `v15.2.0`.
### References
You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).
This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.
### Patches
The issue was introduced in mathjs `v13.1.1`, and patched in mathjs `v15.2.0`.
### Workarounds
There is no workaround without upgrading to `v15.2.0`.
### References
You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).
ghsa CVSS3.1
8.8
Vulnerability type
CWE-915
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026