A critical RCE vulnerability in the math-codegen library allows attackers to execute arbitrary system commands through malicious mathematical expressions.

The cg.parse() function fails to sanitize user-controlled string input, allowing the injection of arbitrary code that is executed within the context of the application.

With a CVSS score of 9.8, this vulnerability allows for full RCE on any application utilizing the library for mathematical evaluation. This could lead to total server compromise, data theft, or the installation of malicious software within the application environment.

Immediate Action: Upgrade math-codegen to version 0.4.3 or later.

Proactive Monitoring: Audit applications for endpoints that pass user input into mathematical parsers and monitor for unusual child processes being spawned.

Compensating Controls: Implement strict input validation and sanitization for all user-provided mathematical expressions before passing them to the library.

Public Exploit Available: No

Developers should immediately check their dependencies and update math-codegen. This is a classic injection vulnerability that can be easily exploited if not addressed.