Math.js Expression Parser Enables Arbitrary Code Execution

Math.js versions 13.1.0 through 15.1.x contain a critical vulnerability in their expression parser that allows attackers to execute arbitrary JavaScript code. This affects any application using the library to parse and evaluate mathematical expressions, particularly those accepting user-supplied input. The vulnerability is especially dangerous in server-side Node.js environments where code execution could compromise entire systems, and in client-side applications where it could lead to session hijacking or malware distribution. Organizations relying on Math.js for educational platforms, scientific computing tools, or any expression evaluation service face immediate risk.

While this CVE does not map to specific MITRE ATT&CK techniques, Casky's security skills platform would identify attack patterns through Claude AI's extended reasoning by analyzing code execution flows and input validation bypasses. Practitioners using Casky would observe detection findings related to unsafe expression parsing, improper input sanitization, and code injection vectors—skills that map to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The platform would flag instances where user input flows directly into Math.js parser calls without validation, highlighting the execution path from untrusted input to arbitrary code execution. Security teams would see recommendations to implement expression whitelisting, sandboxing, or immediate patching to version 15.2.0 or later.