Arbitrary Code Execution in mathjs

Do your applications use this vulnerable package? Test your applications

Overview

mathjs is an extensive math library for JavaScript and Node.js.

Affected versions of the package are vulnerable to Arbitrary Code Execution. The isSafeMethod was able to call other methods (like bind) which is not allowed and could cause code execution on the remote server.

Remediation

Upgrade mathjs to version 3.13.3 or higher.

References

GitHub Changelog
GitHub Commit

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

Low

Credit: Jos De Jong
CWE: CWE-94
Snyk ID: npm:mathjs:20170527
Disclosed: 27 May, 2017
Published: 28 Jan, 2018

Arbitrary Code Execution
Affecting mathjs package, versions <3.13.3

Overview

Remediation

References

CVSS Score

Arbitrary Code Execution Affecting mathjs package, versions <3.13.3

Overview

Remediation

References

Arbitrary Code Execution
Affecting mathjs package, versions <3.13.3