Do your applications use this vulnerable package?
Test your applications
Overview
mathjs
is an extensive math library for JavaScript and Node.js.
Affected versions of the package are vulnerable to Arbitrary Code Execution. The isSafeMethod
was able to call other methods (like bind) which is not allowed and could cause code execution on the remote server.
Remediation
Upgrade mathjs
to version 3.13.3 or higher.
References
CVSS Score
5.6
medium severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Jos De Jong
- CWE
- CWE-94
- Snyk ID
- npm:mathjs:20170527
- Disclosed
- 27 May, 2017
- Published
- 28 Jan, 2018