📂 Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2017-1001002 |
🟣 Critical |
9.3 |
Not Defined |
1.0% |
mathjs-3.10.1.tgz |
Direct |
mathjs - 3.17.0 |
✅ |
 Reachable |
| CVE-2017-1001003 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
mathjs-3.10.1.tgz |
Direct |
mathjs - 3.17.0 |
✅ |
Reachable |
| CVE-2020-7743 |
🟠 Medium |
6.9 |
Not Defined |
1.7% |
mathjs-3.10.1.tgz |
Direct |
mathjs - 7.5.1 |
✅ |
Reachable |
Details
🟣CVE-2017-1001002
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
- ❌ mathjs-3.10.1.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/core/appHandler.js (Application)
- mathjs-3.10.1/index.js (Extension)
- mathjs-3.10.1/lib/index.js (Extension)
- mathjs-3.10.1/lib/expression/index.js (Extension)
- mathjs-3.10.1/lib/expression/docs/index.js (Extension)
-> ❌ mathjs-3.10.1/lib/expression/docs/function/trigonometry/sech.js (Vulnerable Component)
Vulnerability Details
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
Publish Date: Nov 27, 2017 02:00 PM
URL: CVE-2017-1001002
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.0%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx5c-87qx-cv6c
Release Date: Nov 27, 2017 02:00 PM
Fix Resolution : mathjs - 3.17.0
🟣CVE-2017-1001003
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
- ❌ mathjs-3.10.1.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/core/appHandler.js (Application)
- mathjs-3.10.1/index.js (Extension)
- mathjs-3.10.1/lib/index.js (Extension)
- mathjs-3.10.1/lib/type/index.js (Extension)
-> ❌ mathjs-3.10.1/lib/type/string.js (Vulnerable Component)
Vulnerability Details
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
Publish Date: Nov 27, 2017 02:00 PM
URL: CVE-2017-1001003
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pv8x-p9hq-j328
Release Date: Nov 27, 2017 02:00 PM
Fix Resolution : mathjs - 3.17.0
🟠CVE-2020-7743
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
- ❌ mathjs-3.10.1.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- dvna-0.0.1/core/appHandler.js (Application)
- mathjs-3.10.1/index.js (Extension)
- mathjs-3.10.1/lib/index.js (Extension)
- mathjs-3.10.1/lib/expression/index.js (Extension)
- mathjs-3.10.1/lib/expression/docs/index.js (Extension)
-> ❌ mathjs-3.10.1/lib/expression/docs/function/trigonometry/sech.js (Vulnerable Component)
Vulnerability Details
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Publish Date: Oct 13, 2020 09:15 AM
URL: CVE-2020-7743
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.7%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-x2fc-mxcx-w4mf
Release Date: Oct 13, 2020 09:15 AM
Fix Resolution : mathjs - 7.5.1
📂 Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Findings
Details
🟣CVE-2017-1001002
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
Publish Date: Nov 27, 2017 02:00 PM
URL: CVE-2017-1001002
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.0%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx5c-87qx-cv6c
Release Date: Nov 27, 2017 02:00 PM
Fix Resolution : mathjs - 3.17.0
🟣CVE-2017-1001003
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
Publish Date: Nov 27, 2017 02:00 PM
URL: CVE-2017-1001003
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-pv8x-p9hq-j328
Release Date: Nov 27, 2017 02:00 PM
Fix Resolution : mathjs - 3.17.0
🟠CVE-2020-7743
Vulnerable Library - mathjs-3.10.1.tgz
Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with dif
Library home page: https://registry.npmjs.org/mathjs/-/mathjs-3.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mathjs/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Publish Date: Oct 13, 2020 09:15 AM
URL: CVE-2020-7743
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.7%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-x2fc-mxcx-w4mf
Release Date: Oct 13, 2020 09:15 AM
Fix Resolution : mathjs - 7.5.1