mathjs, Unsafe object property setter, CVE (N/A) (High)

Listen to this Post

The vulnerability resides in the `setSafeProperty` function of the mathjs expression parser. Before patching, this function did not adequately restrict the assignment of properties on objects, allowing an attacker to write to dangerous properties such as `__proto__` and constructor.
1. An attacker crafts a malicious mathjs expression (e.g., __proto__.polluted = 'malicious').
2. The expression parser evaluates the input and calls `setSafeProperty` to assign the property.
3. The vulnerable `isSafeProperty` check only validates against a limited whitelist and does not block __proto__.
4. The assignment is executed, polluting the global Object.prototype.
5. Once the prototype is polluted, all objects in the application inherit the tainted property.
6. By setting `constructor` to a custom function, the attacker can hijack object creation.
7. This enables arbitrary JavaScript code execution within the application’s context.
8. The vulnerability affects mathjs versions from v13.1.1 up to v15.1.1.

9. The fix introduces `isSafeObjectProperty` and `isSafeArrayProperty` checks.

  1. For objects, the fix blocks any property that exists on `Object.prototype` or Function.prototype.
  2. For arrays, only numeric indices and the `length` property are permitted.
  3. The expression parser is hardened to prevent prototype pollution and RCE.
  4. No workaround exists; upgrading to the patched version is required.
  5. The fix is implemented in commit 513ab2a and merged via PR 3656.
  6. Applications that allow users to evaluate arbitrary expressions are directly at risk.
  7. The vulnerability was published to the GitHub Advisory Database on April 16, 2026.
  8. It is classified as a prototype pollution leading to arbitrary code execution.
  9. The patched version v15.2.0 was released on the same day.
  10. Developers are urged to upgrade immediately to avoid compromise.
  11. This security flaw highlights the need for strict property validation in expression parsers.
    Platform: mathjs npm
    Version: <15.2.0
    Vulnerability: Prototype Pollution
    Severity: High
    date: 2026-04-16

    Prediction: Patch 2026-04-16

Analytics under What Undercode Say:

Check mathjs version in package.json
grep '"mathjs"' package.json
Upgrade to patched version
npm install [email protected]
Detect vulnerable versions (13.1.1 to 15.1.1)
npm list mathjs | grep -E 'mathjs@(1[3-4].|15.[bash].)'
// Vulnerability test for mathjs < 15.2.0
const math = require('mathjs');
const maliciousExpr = '<strong>proto</strong>.polluted = "malicious"';
math.evaluate(maliciousExpr);
console.log({}.polluted); // Outputs "malicious" if vulnerable

Exploit:

  1. Identify an application using mathjs <15.2.0 that evaluates user expressions.
  2. Submit the expression: `__proto__.exec = function() { return require(‘child_process’).execSync(‘whoami’); }`
    3. After prototype pollution, trigger a seemingly benign expression like a = {}.
  3. The polluted `exec` function executes arbitrary system commands.
  4. For a silent attack, chain assignments to overwrite `constructor` and hijack object creation.

    Protection from this CVE

– Upgrade immediately to mathjs v15.2.0 or later.
– If an upgrade is impossible, deploy a Web Application Firewall (WAF) to block expressions containing __proto__, constructor, or prototype.
– Sanitize and validate all user input before passing it to math.evaluate().
– Run the mathjs parser in a sandboxed environment (e.g., a separate Node.js worker with limited permissions).
– Monitor application logs for prototype pollution attempts (e.g., unexpected properties on global objects).

Impact

  • Arbitrary JavaScript execution within the application’s context.
  • Remote code execution (RCE) in Node.js environments.
  • Full application compromise via prototype pollution.
  • Data leakage, manipulation, or deletion.
  • Potential for lateral movement and complete system takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top