CVE-2017-1001003
CRITICALmathjs < 3.17.0 - Prototype Pollution via Unicode Character Bypass
Title source: llmDescription
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
References (2)
Core 2
Core References
Various Sources x_refsource_confirm
https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170
Patch x_refsource_confirm
https://github.com/josdejong/mathjs/commit/a60f3c8d9dd714244aed7a5569c3dccaa3a4e761
Scores
CVSS v3
9.8
EPSS
0.0169
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-88
Status
published
Products (3)
math.js/math.js
3.17.0
mathjs_project/mathjs
< 3.17.0
npm/mathjs
0 - 3.17.0npm
Published
Nov 27, 2017
Tracked Since
Feb 18, 2026