String literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE.
The vulnerability is addressed by using JSON.stringify() on string literal values in lib/node/ConstantNode.js to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.
Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.
0.4.3Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:H9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H