Arbitrary Code Execution

Module: mathjs

Published: December 6th, 2017

Reported by: Masato Kinugawa

CVE-2017-1001003

CWE-

Vulnerable: <3.17.0
Patched: >=3.17.0

Overview

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Remediation

Upgrade to version 3.17.0 or greater.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo