Listen to this Post
The vulnerability resides in the `setSafeProperty` function of the mathjs expression parser. Before patching, this function did not adequately restrict the assignment of properties on objects, allowing an attacker to write to dangerous properties such as `__proto__` and constructor.
1. An attacker crafts a malicious mathjs expression (e.g., __proto__.polluted = 'malicious').
2. The expression parser evaluates the input and calls `setSafeProperty` to assign the property.
3. The vulnerable `isSafeProperty` check only validates against a limited whitelist and does not block __proto__.
4. The assignment is executed, polluting the global Object.prototype.
5. Once the prototype is polluted, all objects in the application inherit the tainted property.
6. By setting `constructor` to a custom function, the attacker can hijack object creation.
7. This enables arbitrary JavaScript code execution within the application’s context.
8. The vulnerability affects mathjs versions from v13.1.1 up to v15.1.1.
9. The fix introduces `isSafeObjectProperty` and `isSafeArrayProperty` checks.
- For objects, the fix blocks any property that exists on `Object.prototype` or
Function.prototype. - For arrays, only numeric indices and the `length` property are permitted.
- The expression parser is hardened to prevent prototype pollution and RCE.
- No workaround exists; upgrading to the patched version is required.
- The fix is implemented in commit 513ab2a and merged via PR 3656.
- Applications that allow users to evaluate arbitrary expressions are directly at risk.
- The vulnerability was published to the GitHub Advisory Database on April 16, 2026.
- It is classified as a prototype pollution leading to arbitrary code execution.
- The patched version v15.2.0 was released on the same day.
- Developers are urged to upgrade immediately to avoid compromise.
- This security flaw highlights the need for strict property validation in expression parsers.
Platform: mathjs npm
Version: <15.2.0
Vulnerability: Prototype Pollution
Severity: High
date: 2026-04-16Prediction: Patch 2026-04-16
Analytics under What Undercode Say:
Check mathjs version in package.json grep '"mathjs"' package.json Upgrade to patched version npm install [email protected] Detect vulnerable versions (13.1.1 to 15.1.1) npm list mathjs | grep -E 'mathjs@(1[3-4].|15.[bash].)'
// Vulnerability test for mathjs < 15.2.0
const math = require('mathjs');
const maliciousExpr = '<strong>proto</strong>.polluted = "malicious"';
math.evaluate(maliciousExpr);
console.log({}.polluted); // Outputs "malicious" if vulnerable
Exploit:
- Identify an application using mathjs <15.2.0 that evaluates user expressions.
- Submit the expression: `__proto__.exec = function() { return require(‘child_process’).execSync(‘whoami’); }`
3. After prototype pollution, trigger a seemingly benign expression likea = {}. - The polluted `exec` function executes arbitrary system commands.
- For a silent attack, chain assignments to overwrite `constructor` and hijack object creation.
Protection from this CVE
– Upgrade immediately to mathjs v15.2.0 or later.
– If an upgrade is impossible, deploy a Web Application Firewall (WAF) to block expressions containing __proto__, constructor, or prototype.
– Sanitize and validate all user input before passing it to math.evaluate().
– Run the mathjs parser in a sandboxed environment (e.g., a separate Node.js worker with limited permissions).
– Monitor application logs for prototype pollution attempts (e.g., unexpected properties on global objects).
Impact
- Arbitrary JavaScript execution within the application’s context.
- Remote code execution (RCE) in Node.js environments.
- Full application compromise via prototype pollution.
- Data leakage, manipulation, or deletion.
- Potential for lateral movement and complete system takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

