Medium severity6.1NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000043

Description

Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mapbox.jsnpm	< 1.6.6	1.6.6
mapbox.jsnpm	>= 2.0.0, < 2.2.4	2.2.4
mapbox-railsRubyGems	>= 1.0.0, < 1.6.6	1.6.6
mapbox-railsRubyGems	>= 2.0.0, < 2.2.4	2.2.4

Affected products

Mapbox/Mapbox.js
cpe:2.3:a:mapbox:mapbox.js:*:*:*:*:*:node.js:*:*
Range: >=1.0.0,<1.6.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

hackerone.com/reports/99245nvdExploitThird Party AdvisoryWEB
github.com/advisories/GHSA-q69p-5h74-w36fghsaADVISORY
nodesecurity.io/advisories/74nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-1000043ghsaADVISORY
github.com/rubysec/ruby-advisory-db/blob/master/gems/mapbox-rails/CVE-2017-1000043.ymlghsaWEB
www.npmjs.com/advisories/74ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000