math-codegen, Remote Code Execution (RCE) via String Literal Injection, GHSA-p6x5-p4xf-cc4r (Critical)

Listen to this Post

The vulnerability resides in how `math-codegen` processes string literals. When an application passes user‑controlled input to cg.parse(), the library does not sanitize or escape the string content. Instead, it injects that content verbatim into the body of a dynamically generated JavaScript function using new Function(...). This turns any unsanitized string literal into executable code. An attacker can craft a malicious expression containing system commands (e.g., require('child_process').exec('calc')) inside a string literal. When `cg.parse()` processes that input, the payload becomes part of the generated function body and is executed immediately, giving the attacker arbitrary code execution on the server or client. The attack requires no special privileges—only that the application evaluates a mathematical expression with user input. Because the library does not distinguish between data and code, any string literal is blindly trusted. The fix replaces the direct string concatenation with `JSON.stringify()` in lib/node/ConstantNode.js, ensuring that string values are treated as JSON data rather than executable code. Users must upgrade to version 0.4.3 or later to close this injection path.

dailycve form:
Platform: Node.js / npm
Version: < 0.4.3
Vulnerability: String‑literal code injection
Severity: Critical
date: 2026‑04‑17
Prediction: Patch already available (2026‑04‑17)

What Undercode Say:

1. Check installed version (vulnerable if < 0.4.3)
npm list math-codegen
2. Upgrade to patched version
npm install [email protected]
3. Verify fix (look for JSON.stringify in ConstantNode.js)
grep -n "JSON.stringify" node_modules/math-codegen/lib/node/ConstantNode.js
4. Manual workaround (escape user input before passing to parser)
node -e "const userInput = 'malicious\' + (require(\'child_process\').exec(\'calc\'))'; const safe = JSON.stringify(userInput); console.log(safe);"

How Exploit:

// Vulnerable code (math-codegen < 0.4.3)
const cg = require('math-codegen');
const userExpr = '" + require("child_process").exec("calc") + "'; // attacker input
const ast = cg.parse(userExpr); // payload injected into new Function()
ast.evaluate(); // triggers arbitrary command execution

Protection from this CVE

1. Upgrade to `[email protected]` or higher.

  1. Validate/sanitize all user input before passing to cg.parse().
  2. Apply the workaround by manually escaping string literals using JSON.stringify().
  3. Monitor applications that evaluate mathematical expressions for unexpected behavior.

Impact

  • Remote Code Execution – attacker can run arbitrary system commands.
  • Full compromise of the server or client environment.
  • Data breach – access to files, databases, and internal services.
  • Lateral movement – foothold for further attacks within the network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top