Miggo Logo

CVE-2017-1001002: Arbitrary Code Execution in mathjs

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.7651%
Published
12/18/2017
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mathjsnpm< 3.17.03.17.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation() of function names in typed-function creation. The commit diff shows a critical check was added to ensure function names are SymbolNodes (type.isSymbolNode(node.fn)), preventing code in function names. The security test added in security.test.js demonstrates exploitation via function names containing executable JS code. The parse.js modification in function assignment handling directly addresses this vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m*t*.js ***or* *.**.* *** *n *r*itr*ry *o** *x**ution in t** J*v*S*ript *n*in*. *r**tin* * typ** *un*tion wit* J*v*S*ript *o** in t** n*m* *oul* r*sult *r*itr*ry *x**ution. ## R**omm*n**tion Up**t* to v*rsion *.**.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion()` o* *un*tion n*m*s in typ**-*un*tion *r**tion. T** *ommit *i** s*ows * *riti**l ****k w*s ***** to *nsur* *un*tion n*m*s *r* `Sym*olNo**s` (`typ*.isSym*olNo**(no**.*n)`), pr*v*ntin* *o** in *un*tion