Arbitrary Code Execution

Module: mathjs

Published: December 6th, 2017

Reported by: Masato Kinugawa

CVE-2017-1001002

CWE-94

Vulnerable: <3.17.0
Patched: >=3.17.0

Overview

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Remediation

Update to version 3.17.0 or later.

References