Hits313

**Name of the Vulnerable Software and Affected Versions** math-codegen versions prior to 0.4.3 **Description** String literal content passed to the `cg.parse()` function is injected verbatim into a `new Function()` body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Applications exposing a math evaluation endpoint where user input flows into `cg.parse()` are susceptible to remote code execution (RCE), which is the ability to execute malicious code on a remote machine. **Recommendations** Update to version 0.4.3 or later. Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.