CVE-2017-1001002

Published: Nov 27, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Affected (1)

Products: Mathjs: Math.js

Mathjs

1 product

Math.js

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mathjs Math.js	Up to 3.17.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170

Source: 46fe6300-5254-4a98-9594-a9567bec8179

https://github.com/josdejong/mathjs/commit/8d2d48d81b3c233fb64eb2ec1d7a9e1cf6a55a90

Source: 46fe6300-5254-4a98-9594-a9567bec8179

https://github.com/josdejong/mathjs/blob/master/HISTORY.md#2017-11-18-version-3170

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/josdejong/mathjs/commit/8d2d48d81b3c233fb64eb2ec1d7a9e1cf6a55a90

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.