Critical RCE in Math.js Expression Parser (CVE-2026-40897)
A high-severity vulnerability, tracked as CVE-2026-40897, has been identified in Math.js, a widely used JavaScript and Node.js math library. The National Vulnerability Database reports that versions from 13.1.1 up to, but not including, 15.2.0 are susceptible to arbitrary JavaScript execution through its expression parser. This means any application that allows users to evaluate expressions via the Math.js parser could be compromised.
This isn’t just a theoretical flaw; it presents a clear path for remote code execution. An attacker could inject malicious JavaScript, leveraging user-controlled input to gain control over the application’s execution environment. The National Vulnerability Database has assigned this a CVSS score of 8.8 (High), reflecting the critical impact: high confidentiality, integrity, and availability compromise potential with low attack complexity and no user interaction required.
For defenders, this is a clear call to action. If your applications integrate Math.js and expose its expression parser to user input, you are exposed. The fix is available in Math.js version 15.2.0. Patching is non-negotiable here. Ignoring this leaves a wide-open door for attackers to execute arbitrary code within your systems, potentially leading to data exfiltration, system compromise, or further lateral movement.
What This Means For You
- If your development teams use Math.js in any application, immediately check its version. Any version between 13.1.1 and 15.1.x inclusive is vulnerable to CVE-2026-40897. Prioritize upgrading to Math.js 15.2.0 or newer to prevent arbitrary JavaScript execution, especially in applications that parse user-supplied expressions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40897 - Math.js Expression Parser RCE via eval
title: CVE-2026-40897 - Math.js Expression Parser RCE via eval
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-40897 by looking for specific patterns in web server request queries that indicate the use of the vulnerable math.js expression parser to evaluate arbitrary JavaScript code. This is a critical detection for initial access via web applications.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-40897/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'math.evaluate('
- 'math.parser().evaluate('
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40897 | RCE | mathjs library versions 13.1.1 to before 15.2.0 |
| CVE-2026-40897 | Code Injection | mathjs expression parser |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-42044 — Privilege Escalation
CVE-2026-42044 — Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to...
Axios CVE-2026-42043: NO_PROXY Bypass Vulnerability
CVE-2026-42043 — Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the...
CVE-2026-42042 — Axios is a promise based HTTP client for the browser and
CVE-2026-42042 — Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection...