CVE-2017-1001003

CRITICAL

math.js <3.17.0 - Code Injection

Title source: llm

Description

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

References (2)

[Various Sources] https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170

[Patch] https://github.com/josdejong/mathjs/commit/a60f3c8d9dd714244aed7a5569c3dccaa3a4e761

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0049

EPSS Percentile 65.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88 CWE-20

Status draft

Affected Products (2)

mathjs_project/mathjs < 3.17.0

npm/mathjs < 3.17.0npm

Timeline

Published Nov 27, 2017

Tracked Since Feb 18, 2026