[GHSA-jvff-x2qm-6286] mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes

[marado]

Updates

• Affected products
• Description

Comments
Not all versions < 15.2.0 are affected: the set vulnerability was introduced in 13.1.0, while the other was introduced in 13.1.1. Versions < 13.1.0 are not affected.

[github]

Hi there @josdejong! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

Hi @marado, I tried looking for commits that showed the introduction of vulnerable code in versions 13.1.0 and 13.1.1. Are these the commits that introduced the vulnerabilities?

• For 13.1.0: josdejong/mathjs@a1eec93
• For 13.1.1: josdejong/mathjs@ed2cce4

[marado]

For 13.1.0 the commit would be josdejong/mathjs@bcf0da4

[advisory-database]

Hi @marado! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[josdejong]

Thanks @marado and @shelbyc for looking into this!

I created a single advisory but the GitHub Staff explained that they cannot create a CVE for that because it is about two vulnerabilities, see: https://github.com/josdejong/mathjs/security/advisories/GHSA-jvff-x2qm-6286#advisory-comment-187365.

So in summary:

Vulnerability 1: Unsafe array index getter

• Description: validate that the index in the .get() methods is an Array
• Introduced in v13.1.0 via: josdejong/mathjs@bcf0da4
• Fixed in v15.2.0 via: josdejong/mathjs@24d5ee7 (PR: Fix two security vulnerabilities in the expression parser josdejong/mathjs#3656)

Vulnerability 2: Unsafe object property setter

• Description: improve the internal setSafeProperty to not allow setting properties other than numeric indices or length on arrays
• Introduced in v13.1.1 via: josdejong/mathjs@ed2cce4
• Fixed in v15.2.0 via: josdejong/mathjs@513ab2a (PR: Fix two security vulnerabilities in the expression parser josdejong/mathjs#3656)

I'm not sure how best to procede so that both vulnerabilities can get a CVE: change the created advisory to describe the first first vulnerability and then create a second advisory? Or create two new advisories?

[shelbyc]

@josdejong I would recommend changing the description of GHSA-jvff-x2qm-6286 to be about vulnerability 1 and creating a second, separate advisory for vulnerability 2.

[josdejong]

Thanks Shelby, I'm new to advisories so I wasn't sure for example how permanent things like publishing an advisory are.

I've now created a new advisory and have updated the first one. I've requested a CVE for both.

• Vulnerability 1: Unsafe array index getter: GHSA-jvff-x2qm-6286 new advisory: GHSA-5v89-rwgr-qj6g
• Vulnerability 2: Unsafe object property setter in mathjs: GHSA-29qv-4j9f-fjw5

[shelbyc]

@josdejong The re-request for GHSA-jvff-x2qm-6286 was closed by mistake about 40 minutes ago, but you should see a message in GHSA-29qv-4j9f-fjw5 inviting you to submit a re-request for GHSA-jvff-x2qm-6286.

[josdejong]

👍 done

[shelbyc]

Thanks for letting me know! GHSA-5v89-rwgr-qj6g has CVE-2026-41139.