CVE-2017-1001003

Math.js: When 1 + 1 Equals Root Shell (CVE-2017-1001003)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 12, 2026·6 min read·4 visits

Executive Summary (TL;DR)

The math.js library attempted to block access to dangerous properties like `constructor` by comparing property names against a blacklist. However, it failed to normalize Unicode escape sequences before this check. An attacker could pass `co\u006Estructor`, which evades the textual blacklist but is resolved by the JavaScript engine to `constructor`. This grants access to the `Function` constructor, enabling arbitrary code execution on the host server.

A critical sandbox escape in the popular math.js library allows attackers to bypass property restrictions using Unicode escape sequences, leading to Remote Code Execution via the constructor chain.

Official Patches

math.jsRelease notes for version 3.17.0

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.49%
Top 35% most exploited

Affected Systems

Node.js applications using math.js < 3.17.0Web applications using math.js client-side (impacts user session via XSS/Context manipulation)

Affected Versions Detail

Product
Affected Versions
Fixed Version
math.js
Jos de Jong
< 3.17.03.17.0
AttributeDetail
CWE IDCWE-88
CVSS v3.09.8 (Critical)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNetwork (Input Injection)
EPSS Score0.48%
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1203Exploitation for Client Execution
Execution
CWE-88
Argument Injection or Modification

Improper Neutralization of Argument Delimiters or Special Characters

Known Exploits & Detection

GitHubOriginal issue report containing PoC for sandbox escape

Vulnerability Timeline

Vulnerability identified and fixed in version 3.17.0
2017-11-18
CVE-2017-1001003 Published
2017-11-27

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.