What the vulnerability does

01Description

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

Key dates

02Disclosure timeline

November 27, 2017 CVE published
September 17, 2024 Record updated