mathjs Expression Parser Vulnerability GHSA-jvff-x2qm-6286

mathjs, Improperly Controlled Modification of Dynamically-Determined Object Attributes, GHSA-jvff-x2qm-6286 (High) The vulnerability resides in the expression parser of the mathjs library, specifically in how it handles dynamically‑determined object attributes. When a user‑supplied expression is evaluated, the parser fails to properly sanitize or restrict the modification of these dynamic attributes. An attacker can craft an expression that manipulates object properties in a way that escapes the intended sandbox. By leveraging JavaScript’s prototype chain or by overwriting internal methods, the malicious expression can break out of the parser’s context and execute arbitrary JavaScript code....

Exposed Facebook Graph API Token in JS File: How a Simple Find Became a High-Severity Exploit + Video Introduction: Modern web applications frequently rely on client-side JavaScript that may inadvertently hardcode sensitive API tokens, including Facebook Graph API tokens. Attackers who discover such tokens can escalate a seemingly low-risk finding into a high-severity compromise by exploiting the token’s permissions repeatedly before reporting. This article dissects a real-world bug bounty case where an exposed Graph API token in a JS file led to a critical vulnerability, providing step-by-step technical workflows, tools, and mitigation strategies....

AgentService (Nodejs), YAML Deserialization RCE, CVE-2020-8131 (Critical) The CVE-2020-8131 vulnerability exists in the js-yaml library when the `load()` function parses YAML without a safe schema. By default, js-yaml supports custom tags like `!!js/function` and !!js/undefined, which allow embedding and evaluating JavaScript code. The vulnerable `AgentService.loadAgentFromFile` method at `src/agents/agent.service.ts:55` calls `yaml.load(fileContent)` without specifying `JSON_SCHEMA` or DEFAULT_SAFE_SCHEMA. An attacker crafts a YAML file containing !!js/function > function(){ require('child_process').execSync('touch /tmp/pwned') }...

AgentService (Nodejs), YAML Deserialization RCE, CVE-2020-8131 (Critical) The CVE-2020-8131 vulnerability exists in the js-yaml library when the `load()` function parses YAML without a safe schema. By default, js-yaml supports custom tags like `!!js/function` and !!js/undefined, which allow embedding and evaluating JavaScript code. The vulnerable `AgentService.loadAgentFromFile` method at `src/agents/agent.service.ts:55` calls `yaml.load(fileContent)` without specifying `JSON_SCHEMA` or DEFAULT_SAFE_SCHEMA. An attacker crafts a YAML file containing !!js/function > function(){ require('child_process').execSync('touch /tmp/pwned') }...

math-codegen, Remote Code Execution (RCE) via String Literal Injection, GHSA-p6x5-p4xf-cc4r (Critical) The vulnerability resides in how `math-codegen` processes string literals. When an application passes user‑controlled input to cg.parse(), the library does not sanitize or escape the string content. Instead, it injects that content verbatim into the body of a dynamically generated JavaScript function using new Function(...). This turns any unsanitized string literal into executable code. An attacker can craft a malicious expression containing system commands (e.g., …...

math-codegen, Remote Code Execution (RCE) via String Literal Injection, GHSA-p6x5-p4xf-cc4r (Critical) The vulnerability resides in how `math-codegen` processes string literals. When an application passes user‑controlled input to cg.parse(), the library does not sanitize or escape the string content. Instead, it injects that content verbatim into the body of a dynamically generated JavaScript function using new Function(...). This turns any unsanitized string literal into executable code. An attacker can craft a malicious expression containing system commands (e.g., …...

Built an efficient LRU Cache from scratch using JavaScript. Key highlights of the implementation: Designed a custom Doubly Linked List for O(1) insertions and deletions Used a HashMap to achieve constant-time access Ensured optimal eviction strategy by always removing the least recently used node Maintained strict O(1) time complexity for both get and put operations Performance: Runtime: 102 ms (faster than ~57% of submissions) Memory: 113.67 MB This problem reinforced how combining data structures (HashMap + DLL) leads to highly optimized systems — a pattern widely used in real-world caching systems like databases and browsers. Continuing to focus on writing clean, efficient, and scalable code. #DataStructures #Algorithms #JavaScript #SystemDesign #Coding

Three dots that changed JavaScript: ... The spread operator in action: Arrays: // Copy const copy = [...original] // Merge const all = [...arr1, ...arr2] // Add items const updated = [...items, newItem] Objects: // Copy const clone = { ...user } // Merge const combined = { ...defaults, ...config } // Update const modified = { ...user, age: 30 } Function calls: Math.max(...numbers) fetch(url, { ...defaultOptions, ...customOptions }) Before spread operator: const copy = original.slice() const merged = Object.assign({}, obj1, obj2) fn.apply(null, args) After spread operator: const copy = [...original] const merged = { ...obj1, ...obj2 } fn(...args) The magic: → No mutation (safer code) → Cleaner syntax → Works with any iterable → Essential for React state → Makes immutability easy Three dots. Infinite possibilities.

Most JavaScript developers know V8 compiles their code. Far fewer know that when their code calls Math.random(), V8 doesn't generate the number in its main interpreter. 🤔 It hands the work to a dedicated module with its own state, its own algorithm, and a buffer of 64 pre-computed values invisible to JavaScript code. The same architectural pattern V8 uses for regular expressions, where Irregexp takes over the moment the runtime sees a /pattern/. The algorithm is xorshift128+, designed by Sebastiano Vigna in 2014. Three shifts, three XORs, one addition, on a 128-bit state. Fast enough to run at ~90 nanoseconds per call. Statistically excellent: passes BigCrush, the gold-standard test suite. And cryptographically broken by design: an attacker who observes three Math.random() outputs can recover the full internal state with a Z3 solver in under a second, then predict every future output. This is not a theoretical concern. CVE-2025-7783 (CVSS 9.4 critical, July 2025) hit form-data, a transitive dependency in millions of weekly npm downloads, because it generated multipart boundaries with Math.random(). Three observations, one Z3 query, one HTTP Parameter Pollution attack. The bug had been there for years. The deeper insight: Math.random() is not a random number generator. It is a deterministic state machine that produces the illusion of randomness. Every major engine (V8, JavaScriptCore, SpiderMonkey) converged on the same algorithm in 2015-2016. Knowing what's behind the function is the difference between code that happens to work and code we understand. The full deep dive, with Z3 code, hex traces, IEEE 754 bit-layout, tinybench numbers, and the TC39 proposals on the way: 👉 https://lnkd.in/eFYXuswp Four links worth reading alongside it: → V8's own write-up on the xorshift128+ migration: https://lnkd.in/eD4uDQJ4 → Vigna's xorshift+ paper (the algorithm itself): https://lnkd.in/eSBFszd6 → The CVE-2025-7783 advisory: https://lnkd.in/eGF5wBUW → The state-recovery PoC by PwnFunction: https://lnkd.in/eEAr3CFX https://lnkd.in/eFYXuswp Happy reading and discovering! 😊🚀📚 #javascript #nodejs #typescript #webdev #softwareengineering #security

 Day 5/75 Blind 75 - Valid Anagram (#242) - Frequency + Sorting Innovation! My 3-step approach: Length check → early exit Dual HashMaps → count frequencies Sorted comparison → genius match! javascript var isAnagram = function(s, t) { if (s.length !== t.length) return false; const sCount = {}, tCount = {}; for (let i = 0; i < s.length; i++) { sCount[s[i]] = 1 + (sCount[s[i]] || 0); tCount[t[i]] = 1 + (tCount[t[i]] || 0); } const sortedSCount = Object.entries(sCount).sort(); const sortedTCount = Object.entries(tCount).sort(); return JSON.stringify(sortedSCount) === JSON.stringify(sortedTCount); }; "anagram" vs "nagaram": text sCount: {a:3,n:1,g:1,r:1,m:1} tCount: {n:1,a:3,g:1,r:1,a:1,m:1} sorted → [["a",3],["g",1],...] MATCH ✓ Why brilliant: Handles edge cases perfectly Visual frequency verification O(n log k) where k=unique chars HashMap mastery: Day3(exists) → Day5(counts + sort) Progress: 5/75 → Arrays domination! #DSA #LeetCode #Blind75 #JavaScript #Frontend #HyderabadTech