Arbitrary Code Execution

Module: mathjs

Published: December 6th, 2017

Reported by: Masato Kinugawa

CVE-2017-1001002

CWE-94

Vulnerable: <3.17.0
Patched: >=3.17.0

Overview

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Remediation

Upgrade to version 3.17.0 or greater.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo