math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

## Recommendation

Update to version 3.17.0 or later.

Affected Packages

npm mathjs

Affected versions: 0 (fixed in 3.17.0)

Related CVEs

CVE-2017-1001002

Key Information

GHSA ID

GHSA-vx5c-87qx-cv6c

Published

December 18, 2017 10:27 PM

Last Modified

June 10, 2021 8:06 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

mathjs

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.