Critical severity9.8NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026

CVE-2017-1001003

Description

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mathjsnpm	< 3.17.0	3.17.0

Affected products

math.js/math.jsv5
Range: 3.17.0

Patches

a60f3c8d9dd7

Fixed a security issue where forbidden properties like constructor could be replaced by using unicode characters when creating an object

https://github.com/josdejong/mathjsjosNov 18, 2017via ghsa

commit

4 files changed · +32 −3

HISTORY.md+3 −0 modified

@@ -7,6 +7,9 @@
 - Fixed a security issue in `typed-function` allowing arbitrary code execution
   in the JavaScript engine by creating a typed function with JavaScript code
   in the name. Thanks Masato Kinugawa.
+- Fixed a security issue where forbidden properties like constructor could be
+  replaced by using unicode characters when creating an object. No known exploit,
+  but could possibly allow arbitrary code execution. Thanks Masato Kinugawa.
 
 
 ## 2017-10-18, version 3.16.5

lib/expression/node/ObjectNode.js+7 −3 modified

@@ -60,11 +60,15 @@ function factory (type, config, load, typed) {
     var entries = [];
     for (var key in node.properties) {
       if (hasOwnProperty(node.properties, key)) {
-        if (!isSafeProperty(node.properties, key)) {
-          throw new Error('No access to property "' + key + '"');
+        // we stringify/parse the key here to resolve unicode characters,
+        // so you cannot create a key like {"co\\u006Estructor": null} 
+        var stringifiedKey = stringify(key)
+        var parsedKey = JSON.parse(stringifiedKey)
+        if (!isSafeProperty(node.properties, parsedKey)) {
+          throw new Error('No access to property "' + parsedKey + '"');
         }
 
-        entries.push(stringify(key) + ': ' + compile(node.properties[key], defs, args));
+        entries.push(stringifiedKey + ': ' + compile(node.properties[key], defs, args));
       }
     }
     return '{' + entries.join(', ') + '}';

test/expression/security.test.js+17 −0 modified

@@ -83,6 +83,23 @@ describe('security', function () {
     }, /Error: No access to property "bind/);
   })
 
+  it ('should not allow disguising forbidden properties with unicode characters', function () {
+    var scope = {
+      a: {}
+    };
+
+    assert.throws(function () { math.eval('a.co\u006Estructor', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a["co\\u006Estructor"]', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a.constructor', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a.constructor = 2', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a["constructor"] = 2', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a["co\\u006Estructor"] = 2', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a = {"constructor": 2}', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a = {constructor: 2}', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a = {"co\\u006Estructor": 2}', scope); }, /Error: No access to property "constructor"/);
+    assert.throws(function () { math.eval('a = {co\u006Estructor: 2}', scope); }, /Error: No access to property "constructor"/);
+  })
+
   it ('should not allow calling Function via imported, overridden function', function () {
     assert.throws(function () {
       var math2 = math.create();

test/utils/customs.test.js+5 −0 modified

@@ -85,6 +85,9 @@ describe ('customs', function () {
 
       // non existing method
       assert.equal(customs.isSafeMethod(matrix, 'nonExistingMethod'), false);
+
+      // method with unicode chars
+      assert.equal(customs.isSafeMethod(matrix, 'co\u006Estructor'), false);
     });
 
   });
@@ -113,6 +116,8 @@ describe ('customs', function () {
       // non existing property
       assert.equal(customs.isSafeProperty(object, 'bar'), true);
 
+      // property with unicode chars
+      assert.equal(customs.isSafeProperty(object, 'co\u006Estructor'), false);
     });
 
     it ('should test inherited properties on plain objects ', function () {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pv8x-p9hq-j328ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1001003ghsaADVISORY
github.com/josdejong/mathjs/blob/master/HISTORY.mdnvdWEB
github.com/josdejong/mathjs/commit/a60f3c8d9dd714244aed7a5569c3dccaa3a4e761nvdWEB
www.npmjs.com/advisories/551ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000