Arbitrary Code Execution

Module: mathjs

Published: December 6th, 2017

Reported by: Masato Kinugawa

CVE-2017-1001003

CWE-94

Vulnerable: <3.17.0
Patched: >=3.17.0

Overview

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Remediation

Upgrade to version 3.17.0 or later.

References

Commit #a60f3c8 https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170