JavaScript Math Library Vulnerability in Math.js Affects Users
CVE-2026-40897

8.8HIGH

Key Information:

Vendor

Josdejong

Status
Mathjs
Vendor
CVE Published:
24 April 2026

What is CVE-2026-40897?

A significant vulnerability has been identified in Math.js, a popular library for mathematics in JavaScript and Node.js. From versions 13.1.1 to earlier than 15.2.0, this vulnerability enables attackers to execute arbitrary JavaScript through the library's expression parser. Applications utilizing Math.js where users can input expressions for evaluation are particularly at risk. To mitigate this risk, it is crucial to upgrade to Math.js version 15.2.0 or later, which contains the necessary security patches. For further information, consult the official advisory and relevant GitHub commits.

Affected Version(s)

mathjs >= 13.1.1, < 15.2.0

References

https://github.com/josdejong/mathjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/josdejong/mathjs/pull/3656
x_refsource_MISC
https://github.com/josdejong/mathjs/commit/513ab2a0e01004...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.