CVE-2026-41507 - math-codegen string literal RCE
math-codegen versions before 0.4.3 can inject string literal content passed
to cg.parse() into a generated new Function() body. When untrusted input
reaches the parser, an attacker can turn formula or expression evaluation into
server-side JavaScript code execution.
This class of vulnerability is especially relevant for agentic systems that accept user, ticket, spreadsheet, or tool-output expressions and evaluate them inside automation workers.
When to use it
- A repository installs or bundles
math-codegenin services, workers, CLIs, dashboards, formula engines, automation, or MCP/agent tools. cg.parse()or expression wrappers can receive input from users, tenants, spreadsheets, workflow YAML, tickets, webhooks, LLM output, or tool output.- Expression evaluation runs with source, credentials, internal network access, customer data, deployment state, or build artifacts in scope.
- You need a bounded PR or triage note that upgrades
math-codegenand constrains untrusted expression evaluation.
Inputs
- Package manifests, lockfiles, vendored code, generated bundles, Dockerfiles, CI images, SBOMs, deployment manifests, expression parser call sites, and docs.
- Expression entry points, trust boundaries, supported syntax, worker privileges, secret exposure, logs, and credential rotation owners.
- Available package install, parser regression tests, integration tests, lint/typecheck, image build, SBOM, and dependency/security scans.
Affected versions
- Vulnerable:
math-codegen <0.4.3 - Fixed:
math-codegen 0.4.3+ - Affected API:
cg.parse()when untrusted string literals reach generated code.
Indicator-of-exposure
- The repository depends on
math-codegendirectly or transitively. - Application code calls
cg.parse(),parse(), generated expression functions, or wrappers around math/formula evaluation. - Users, tenants, spreadsheets, workflow YAML, tickets, LLM outputs, tool outputs, dashboards, rules, or API requests can supply expressions.
- Expression evaluation runs in a server, worker, CI job, MCP tool, browser automation host, or privileged background process.
- The process has access to credentials, source code, customer data, internal network routes, build artifacts, or writable deployment state.
Quick checks:
rg -n "math-codegen|cg\\.parse|codegen.*parse|new Function|formula|expression.*parse|evaluate.*expression" .
npm ls math-codegen
pnpm why math-codegen
yarn why math-codegen
rg -n "formula|expression|rule|calculator|spreadsheet|ticket|tool output|LLM output|workflow.*input" src server packages apps
Remediation strategy
- Upgrade
math-codegento0.4.3+everywhere this repository controls manifests, lockfiles, images, or deployment manifests. - Block untrusted expression parsing until patched if the upgrade cannot be deployed atomically.
- Add validation around expression features this product actually supports; reject strings, identifiers, or syntax that are not required.
- Run expression evaluation in the least-privilege runtime available. Do not
give formula evaluators ambient access to
process, filesystem APIs, network APIs, package tokens, or cloud credentials. - Prefer a non-code-generating expression evaluator for untrusted inputs when product requirements allow it.
The prompt
You are remediating CVE-2026-41507 (math-codegen string literal code injection
leading to remote code execution). Produce exactly one output:
- A reviewer-ready PR/change request that upgrades math-codegen, contains
untrusted expression evaluation, adds regression coverage, and documents
operator cleanup, or
- TRIAGE.md if this repository does not own an affected runtime or cannot make
a safe change.
## Rules
- Scope only CVE-2026-41507 / GHSA-p6x5-p4xf-cc4r.
- Treat expression inputs, generated code, credentials, customer data, worker
environment values, source code, and logs as sensitive.
- Do not execute exploit payloads, shell commands, reverse shells, or
attacker-controlled generated functions.
- Do not rely on ad hoc escaping as the only fix when a patched package is
available.
- Do not auto-merge.
## Steps
1. Inventory every `math-codegen` reference controlled by this repository:
package manifests, lockfiles, vendored code, Dockerfiles, CI images, SBOMs,
deployment manifests, generated bundles, and docs.
2. Determine every resolved `math-codegen` version. A target is vulnerable if it
resolves below `0.4.3`.
3. Search for expression evaluation paths:
- `cg.parse()` or wrappers;
- formula, rule, calculator, spreadsheet, dashboard, workflow, ticket, or
tool-output parsing;
- LLM-generated expressions or agent-supplied tool arguments.
4. Determine whether untrusted input can reach the parser. Include request
bodies, tenant settings, workflow YAML, uploaded files, spreadsheet cells,
ticket text, database records, webhook payloads, LLM output, and MCP tool
results.
5. If `math-codegen` is absent or only used in non-deployable tests, stop with
`TRIAGE.md` explaining what was checked and why the runtime is not exposed.
6. Upgrade to `math-codegen 0.4.3+`. Regenerate lockfiles, image digests, SBOMs,
bundled assets, and dependency reports.
7. Add containment for non-atomic rollouts:
- disable untrusted formula/expression evaluation;
- reject string literals if the product does not need them;
- reject expressions from LLM/tool output unless explicitly approved;
- run evaluators in a constrained worker with no secrets.
8. Add regression tests that do not execute commands:
- malicious-looking string literals are treated as inert data;
- generated function source does not contain raw string literal content;
- untrusted expression inputs cannot reach `new Function` without the
patched parser;
- dependency policy rejects `math-codegen <0.4.3`.
9. Add a PR body section named `CVE-2026-41507 operator actions` that states:
- math-codegen versions before and after the change;
- every untrusted expression entry point reviewed;
- whether formula evaluation was public, tenant reachable, or agent
reachable;
- whether worker credentials should be rotated;
- which logs should be reviewed for suspicious expression parse failures.
10. Run relevant validation: package install, lockfile checks, unit tests,
integration tests for expression features, lint/typecheck, image build, SBOM
refresh, and dependency/security scans available in this repository.
11. Use PR title:
`fix(sec): remediate CVE-2026-41507 in math-codegen`.
## Stop conditions
- No affected `math-codegen` runtime is controlled by this repository.
- A fixed version cannot be consumed without a broader migration.
- The product intentionally requires arbitrary code-generating expressions from
untrusted users; document the risk and require a product/security decision.
- Verification would require executing attacker-controlled generated code.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled package, lockfile, image, SBOM, or deployment target resolves
math-codegen <0.4.3. - Untrusted expression entry points are inventoried and either patched, disabled, or constrained.
- Tests prove string literals remain data and cannot alter generated JavaScript syntax.
- Expression evaluation does not run with broad credentials or ambient access.
- Operator actions identify credential rotation and log review if exposure was possible.
Output contract
- Reviewer-ready PR upgrading all controlled
math-codegenruntimes to0.4.3+with refreshed locks, bundles, images, SBOMs, and reports. - Inventory of untrusted expression entry points and containment for non-atomic rollouts, including disabling LLM/tool-output expressions where needed.
- Tests proving malicious-looking string literals stay inert without executing generated attacker code.
TRIAGE.mdwhen formula runtime, worker isolation, or credential cleanup is outside this repository.
Watch for
- Updating only direct dependencies while a bundle, workspace package, or image
layer still carries
math-codegen <0.4.3. - Treating formulas from LLM output as trusted because they were generated by an internal agent.
- Tests that assert parser output by executing the generated exploit-like function.
- Manual escaping that fails on alternate string literal forms.
Related recipes
- CVE-2025-12735 expr-eval context function RCE
- CVE-2026-41242 protobufjs generated-code RCE
- Browser agent boundary
References
- GitHub Advisory: https://github.com/advisories/GHSA-p6x5-p4xf-cc4r
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-41507
- math-codegen project: https://github.com/mauriciopoppe/math-codegen