math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

## Recommendation

Upgrade to version 3.17.0 or later.

Affected Packages

npm mathjs

Affected versions: 0 (fixed in 3.17.0)

Related CVEs

CVE-2017-1001003

Key Information

GHSA ID

GHSA-pv8x-p9hq-j328

Published

December 18, 2017 10:27 PM

Last Modified

September 12, 2023 6:41 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

mathjs

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.