Listen to this Post
The vulnerability resides in how `math-codegen` processes string literals. When an application passes user‑controlled input to cg.parse(), the library does not sanitize or escape the string content. Instead, it injects that content verbatim into the body of a dynamically generated JavaScript function using new Function(...). This turns any unsanitized string literal into executable code. An attacker can craft a malicious expression containing system commands (e.g., require('child_process').exec('calc')) inside a string literal. When `cg.parse()` processes that input, the payload becomes part of the generated function body and is executed immediately, giving the attacker arbitrary code execution on the server or client. The attack requires no special privileges—only that the application evaluates a mathematical expression with user input. Because the library does not distinguish between data and code, any string literal is blindly trusted. The fix replaces the direct string concatenation with `JSON.stringify()` in lib/node/ConstantNode.js, ensuring that string values are treated as JSON data rather than executable code. Users must upgrade to version 0.4.3 or later to close this injection path.
dailycve form: Platform: Node.js / npm Version: < 0.4.3 Vulnerability: String‑literal code injection Severity: Critical date: 2026‑04‑17 Prediction: Patch already available (2026‑04‑17)
What Undercode Say:
1. Check installed version (vulnerable if < 0.4.3) npm list math-codegen 2. Upgrade to patched version npm install [email protected] 3. Verify fix (look for JSON.stringify in ConstantNode.js) grep -n "JSON.stringify" node_modules/math-codegen/lib/node/ConstantNode.js 4. Manual workaround (escape user input before passing to parser) node -e "const userInput = 'malicious\' + (require(\'child_process\').exec(\'calc\'))'; const safe = JSON.stringify(userInput); console.log(safe);"
How Exploit:
// Vulnerable code (math-codegen < 0.4.3)
const cg = require('math-codegen');
const userExpr = '" + require("child_process").exec("calc") + "'; // attacker input
const ast = cg.parse(userExpr); // payload injected into new Function()
ast.evaluate(); // triggers arbitrary command execution
Protection from this CVE
1. Upgrade to `[email protected]` or higher.
- Validate/sanitize all user input before passing to
cg.parse(). - Apply the workaround by manually escaping string literals using
JSON.stringify(). - Monitor applications that evaluate mathematical expressions for unexpected behavior.
Impact
- Remote Code Execution – attacker can run arbitrary system commands.
- Full compromise of the server or client environment.
- Data breach – access to files, databases, and internal services.
- Lateral movement – foothold for further attacks within the network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

