VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026

CVE-2017-1001002

CVE-2017-1001002

Description

math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mathjsnpm
< 3.17.03.17.0

Affected products

1
  • math.js/math.jsv5
    Range: 3.17.0

Patches

1
8d2d48d81b3c

Fixed a security issue in `typed-function` allowing arbitrary code execution

https://github.com/josdejong/mathjsjosNov 18, 2017via ghsa
commit
5 files changed · +30 2
  • HISTORY.md+3 0 modified
    @@ -4,6 +4,9 @@
 ## not yet released, version 3.17.0
 
 - Improved `simplify` for nested exponentiations. Thanks @IvanVergiliev.
+- Fixed a security issue in `typed-function` allowing arbitrary code execution
+  in the JavaScript engine by creating a typed function with JavaScript code
+  in the name. Thanks Masato Kinugawa.
 
 
 ## 2017-10-18, version 3.16.5
  • lib/expression/parse.js+1 1 modified
    @@ -592,7 +592,7 @@ function factory (type, config, load, typed) {
         value = parseAssignment();
         return new AssignmentNode(node.object, node.index, value);
       }
-      else if (type.isFunctionNode(node)) {
+      else if (type.isFunctionNode(node) && type.isSymbolNode(node.fn)) {
         // parse function assignment like 'f(x) = x^2'
         valid = true;
         args = [];
  • package.json+1 1 modified
    @@ -93,7 +93,7 @@
     "javascript-natural-sort": "0.7.1",
     "seed-random": "2.2.0",
     "tiny-emitter": "2.0.0",
-    "typed-function": "0.10.5"
+    "typed-function": "0.10.6"
   },
   "devDependencies": {
     "benchmark": "2.1.4",
  • test/expression/parse.test.js+7 0 modified
    @@ -812,6 +812,13 @@ describe('parse', function() {
       assert.equal(obj.f(2), 4);
     });
 
+    it('should not parse a function assignment in an accessor node', function () {
+      assert.throws(function () {
+        var scope = {}
+        var obj = parseAndEval('a["b"](x)=x^2', scope);
+      }, /SyntaxError: Invalid left hand side of assignment operator =/)
+    });
+
     it('should parse an object containing a variable assignment', function () {
       var scope = {};
       assert.deepEqual(parseAndEval('{f: a=42}', scope), {f: 42});
  • test/expression/security.test.js+18 0 modified
    @@ -288,6 +288,24 @@ describe('security', function () {
     }, /Undefined symbol Chain/);
   })
 
+  it ('should not allow passing a function name containg bad contents', function () {
+    // underlying issues where:
+    // the input '[]["fn"]()=0'   
+    // - defines a function in the root scope, but this shouldn't be allowed syntax
+    // - there is a typed function created which unsecurely evaluates JS code with the function name in it 
+    //   -> when the function name contains JS code it can be executed, example:
+    //
+    //         var fn = typed("(){}+console.log(`hacked...`);function a", { "": function () { } })
+
+    assert.throws(function () {
+      math.eval('[]["(){}+console.log(`hacked...`);function a"]()=0')
+    }, /SyntaxError: Invalid left hand side of assignment operator =/);
+
+    assert.throws(function () {
+      math.eval('{}["(){}+console.log(`hacked...`);function a"]()=0')
+    }, /SyntaxError: Invalid left hand side of assignment operator =/);
+  })
+
   it ('should allow calling functions on math', function () {
     assert.equal(math.eval('sqrt(4)'), 2);
   })

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.