Arbitrary Code Execution in mathjs

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Recommendation

Upgrade to version 3.17.0 or later.

References

Published to the GitHub Advisory Database Dec 18, 2017

Reviewed Jun 16, 2020

Last updated Sep 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Recommendation

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code