CVE

GHSA-p6x5-p4xf-cc4r

Remote Code Execution (RCE) via String Literal Injection into math-codegen

CVE

GHSA-p6x5-p4xf-cc4r

Remote Code Execution (RCE) via String Literal Injection into math-codegen

Impact

String literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE.

Patches

The vulnerability is addressed by using JSON.stringify() on string literal values in lib/node/ConstantNode.js to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.

Workarounds

Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r, https://github.com/mauriciopoppe/math-codegen/pull/11, https://github.com/hits3134, https://github.com/mauriciopoppe/math-codegen

Severity

9.8

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.8

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

0.4.3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-p6x5-p4xf-cc4r

GHSA-p6x5-p4xf-cc4r

Impact

Patches

Workarounds

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.8

Basic Information

Fix Critical Vulnerabilities Instantly