mathjs

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting mathjspage 1 of 1

CVE-2017-1001002CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.17.0
2017-11-27
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVE-2017-1001003CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.17.0
2017-11-27
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
CVE-2020-7743HIGHCVSS 7.3EG 7.3✓ Fixed in 7.5.1
2020-10-13
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
CVE-2026-40897HIGHCVSS 8.8EG 8.8✓ Fixed in 15.2.0
2026-04-24
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application whe…
CVE-2026-41139HIGHCVSS 8.8EG 8.8✓ Fixed in 15.2.0
2026-05-07
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

Check whether mathjs is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mathjs CVEs against the assets you own.

Start Free Scan →