CVE-2017-1001002
CRITICALmath.js < 3.17.0 - Remote Code Execution via Typed Function Name Injection
Title source: llmDescription
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
References (2)
Core 2
Core References
Various Sources x_refsource_confirm
https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170
Patch x_refsource_confirm
https://github.com/josdejong/mathjs/commit/8d2d48d81b3c233fb64eb2ec1d7a9e1cf6a55a90
Scores
CVSS v3
9.8
EPSS
0.0236
EPSS Percentile
81.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (3)
math.js/math.js
3.17.0
mathjs/math.js
< 3.17.0
npm/mathjs
0 - 3.17.0npm
Published
Nov 27, 2017
Tracked Since
Feb 18, 2026