CVE-2026-41507 - math-codegen string literal RCE

math-codegen versions before 0.4.3 can inject string literal content passed to cg.parse() into a generated new Function() body. When untrusted input reaches the parser, an attacker can turn formula or expression evaluation into server-side JavaScript code execution.

This class of vulnerability is especially relevant for agentic systems that accept user, ticket, spreadsheet, or tool-output expressions and evaluate them inside automation workers.

Affected versions

Vulnerable: math-codegen <0.4.3
Fixed: math-codegen 0.4.3+
Affected API: cg.parse() when untrusted string literals reach generated code.

Indicator-of-exposure

The repository depends on math-codegen directly or transitively.
Application code calls cg.parse(), parse(), generated expression functions, or wrappers around math/formula evaluation.
Users, tenants, spreadsheets, workflow YAML, tickets, LLM outputs, tool outputs, dashboards, rules, or API requests can supply expressions.
Expression evaluation runs in a server, worker, CI job, MCP tool, browser automation host, or privileged background process.
The process has access to credentials, source code, customer data, internal network routes, build artifacts, or writable deployment state.

Quick checks:

rg -n "math-codegen|cg\\.parse|codegen.*parse|new Function|formula|expression.*parse|evaluate.*expression" .
npm ls math-codegen
pnpm why math-codegen
yarn why math-codegen
rg -n "formula|expression|rule|calculator|spreadsheet|ticket|tool output|LLM output|workflow.*input" src server packages apps

Remediation strategy

Upgrade math-codegen to 0.4.3+ everywhere this repository controls manifests, lockfiles, images, or deployment manifests.
Block untrusted expression parsing until patched if the upgrade cannot be deployed atomically.
Add validation around expression features this product actually supports; reject strings, identifiers, or syntax that are not required.
Run expression evaluation in the least-privilege runtime available. Do not give formula evaluators ambient access to process, filesystem APIs, network APIs, package tokens, or cloud credentials.
Prefer a non-code-generating expression evaluator for untrusted inputs when product requirements allow it.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41507 (math-codegen string literal code injection
leading to remote code execution). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades math-codegen, contains
  untrusted expression evaluation, adds regression coverage, and documents
  operator cleanup, or
- TRIAGE.md if this repository does not own an affected runtime or cannot make
  a safe change.

## Rules

- Scope only CVE-2026-41507 / GHSA-p6x5-p4xf-cc4r.
- Treat expression inputs, generated code, credentials, customer data, worker
  environment values, source code, and logs as sensitive.
- Do not execute exploit payloads, shell commands, reverse shells, or
  attacker-controlled generated functions.
- Do not rely on ad hoc escaping as the only fix when a patched package is
  available.
- Do not auto-merge.

## Steps

1. Inventory every `math-codegen` reference controlled by this repository:
   package manifests, lockfiles, vendored code, Dockerfiles, CI images, SBOMs,
   deployment manifests, generated bundles, and docs.
2. Determine every resolved `math-codegen` version. A target is vulnerable if it
   resolves below `0.4.3`.
3. Search for expression evaluation paths:
   - `cg.parse()` or wrappers;
   - formula, rule, calculator, spreadsheet, dashboard, workflow, ticket, or
     tool-output parsing;
   - LLM-generated expressions or agent-supplied tool arguments.
4. Determine whether untrusted input can reach the parser. Include request
   bodies, tenant settings, workflow YAML, uploaded files, spreadsheet cells,
   ticket text, database records, webhook payloads, LLM output, and MCP tool
   results.
5. If `math-codegen` is absent or only used in non-deployable tests, stop with
   `TRIAGE.md` explaining what was checked and why the runtime is not exposed.
6. Upgrade to `math-codegen 0.4.3+`. Regenerate lockfiles, image digests, SBOMs,
   bundled assets, and dependency reports.
7. Add containment for non-atomic rollouts:
   - disable untrusted formula/expression evaluation;
   - reject string literals if the product does not need them;
   - reject expressions from LLM/tool output unless explicitly approved;
   - run evaluators in a constrained worker with no secrets.
8. Add regression tests that do not execute commands:
   - malicious-looking string literals are treated as inert data;
   - generated function source does not contain raw string literal content;
   - untrusted expression inputs cannot reach `new Function` without the
     patched parser;
   - dependency policy rejects `math-codegen <0.4.3`.
9. Add a PR body section named `CVE-2026-41507 operator actions` that states:
   - math-codegen versions before and after the change;
   - every untrusted expression entry point reviewed;
   - whether formula evaluation was public, tenant reachable, or agent
     reachable;
   - whether worker credentials should be rotated;
   - which logs should be reviewed for suspicious expression parse failures.
10. Run relevant validation: package install, lockfile checks, unit tests,
    integration tests for expression features, lint/typecheck, image build, SBOM
    refresh, and dependency/security scans available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41507 in math-codegen`.

## Stop conditions

- No affected `math-codegen` runtime is controlled by this repository.
- A fixed version cannot be consumed without a broader migration.
- The product intentionally requires arbitrary code-generating expressions from
  untrusted users; document the risk and require a product/security decision.
- Verification would require executing attacker-controlled generated code.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

No controlled package, lockfile, image, SBOM, or deployment target resolves math-codegen <0.4.3.
Untrusted expression entry points are inventoried and either patched, disabled, or constrained.
Tests prove string literals remain data and cannot alter generated JavaScript syntax.
Expression evaluation does not run with broad credentials or ambient access.
Operator actions identify credential rotation and log review if exposure was possible.

Watch for

Updating only direct dependencies while a bundle, workspace package, or image layer still carries math-codegen <0.4.3.
Treating formulas from LLM output as trusted because they were generated by an internal agent.
Tests that assert parser output by executing the generated exploit-like function.
Manual escaping that fails on alternate string literal forms.

References

GitHub Advisory: https://github.com/advisories/GHSA-p6x5-p4xf-cc4r
NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-41507
math-codegen project: https://github.com/mauriciopoppe/math-codegen