CVE-2026-40897: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in josdejong mathjs
A high-severity vulnerability (CVE-2026-40897) exists in the mathjs library versions from 13. 1. 1 up to but not including 15. 2. 0. This flaw allows arbitrary JavaScript execution via the mathjs expression parser when user input is evaluated. The issue is due to improperly controlled modification of dynamically-determined object attributes (CWE-915). The vulnerability is fixed in version 15. 2. 0.
AI Analysis
Technical Summary
The mathjs library for JavaScript and Node.js contains a vulnerability in versions >=13.1.1 and <15.2.0 that permits execution of arbitrary JavaScript code through its expression parser. This occurs because the library does not properly control modifications of dynamically-determined object attributes, classified under CWE-915. Applications that allow users to evaluate arbitrary expressions using mathjs are at risk. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, with network attack vector, low attack complexity, and no user interaction required. The vulnerability was publicly disclosed on April 24, 2026, and is fixed in mathjs version 15.2.0.
Potential Impact
Successful exploitation allows an attacker with at least low privileges to execute arbitrary JavaScript code remotely without user interaction, resulting in complete confidentiality, integrity, and availability compromise of the affected system or application. This can lead to full system takeover or data breach in applications that evaluate untrusted expressions using mathjs versions prior to 15.2.0.
Mitigation Recommendations
Upgrade mathjs to version 15.2.0 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 15.2.0, applying this official patch is the recommended remediation. No other mitigations are indicated by the vendor advisory.
CVE-2026-40897: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in josdejong mathjs
Description
A high-severity vulnerability (CVE-2026-40897) exists in the mathjs library versions from 13. 1. 1 up to but not including 15. 2. 0. This flaw allows arbitrary JavaScript execution via the mathjs expression parser when user input is evaluated. The issue is due to improperly controlled modification of dynamically-determined object attributes (CWE-915). The vulnerability is fixed in version 15. 2. 0.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The mathjs library for JavaScript and Node.js contains a vulnerability in versions >=13.1.1 and <15.2.0 that permits execution of arbitrary JavaScript code through its expression parser. This occurs because the library does not properly control modifications of dynamically-determined object attributes, classified under CWE-915. Applications that allow users to evaluate arbitrary expressions using mathjs are at risk. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, with network attack vector, low attack complexity, and no user interaction required. The vulnerability was publicly disclosed on April 24, 2026, and is fixed in mathjs version 15.2.0.
Potential Impact
Successful exploitation allows an attacker with at least low privileges to execute arbitrary JavaScript code remotely without user interaction, resulting in complete confidentiality, integrity, and availability compromise of the affected system or application. This can lead to full system takeover or data breach in applications that evaluate untrusted expressions using mathjs versions prior to 15.2.0.
Mitigation Recommendations
Upgrade mathjs to version 15.2.0 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 15.2.0, applying this official patch is the recommended remediation. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T16:37:22.766Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eba2fd87115cfb68542cd0
Added to database: 4/24/2026, 5:06:05 PM
Last enriched: 5/1/2026, 8:45:35 PM
Last updated: 6/7/2026, 11:29:37 AM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.