String literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE.

The vulnerability is addressed by using JSON.stringify() on string literal values in lib/node/ConstantNode.js to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.

Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.