Arbitrary Code Execution in mathjs

Description

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Recommendation

Update the mathjs package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.17.0
• Patched version(s): 3.17.0

References

• GHSA-pv8x-p9hq-j328
• www.npmjs.com
• CVE-2017-1001003
• CWE-88
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Arbitrary Code Execution in mathjs - mathjs - CVE-2017-1001002
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• Arbitrary code execution in protobufjs - CVE-2026-41242
• Trix Editor Arbitrary Code Execution Vulnerability - CVE-2024-34341

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

mathjs