mathjs is vulnerable to unauthorized constructor replacement. The vulnerability is possible because restricted properties like constructor functions can be replaced by unicode characters when creating an object. This can lead to arbitrary code execution attack through the constructor.