GHSA-29QV-4J9F-FJW5

Vulnerability from github – Published: 2026-04-16 22:38 – Updated: 2026-04-16 22:38
VLAI?
Summary
Unsafe object property setter in mathjs
Details

Impact

This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

Patches

The issue was introduced in mathjs v13.1.1, and patched in mathjs v15.2.0.

Workarounds

There is no workaround without upgrading to v15.2.0.

References

You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).

Severity ?
8.8 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mathjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.1.1"
            },
            {
              "fixed": "15.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:38:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThis security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.\n\n### Patches\nThe issue was introduced in mathjs `v13.1.1`, and patched in mathjs `v15.2.0`.\n\n### Workarounds\nThere is no workaround without upgrading to `v15.2.0`.\n\n### References\nYou can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).",
  "id": "GHSA-29qv-4j9f-fjw5",
  "modified": "2026-04-16T22:38:43Z",
  "published": "2026-04-16T22:38:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/josdejong/mathjs/pull/3656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/josdejong/mathjs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsafe object property setter in mathjs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.