CVE-2022-21122

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21122

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21122.json

Aliases

GHSA-5gc4-cx9x-9c43
SNYK-JS-METACALC-2826197

Published

2022-06-08T09:15:08Z

Modified

2023-11-29T09:15:23.615509Z

Details

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

References

https://snyk.io/vuln/SNYK-JS-METACALC-2826197
https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
https://github.com/metarhia/metacalc/pull/16

Affected packages

Git / github.com/metarhia/metacalc

Affected ranges

Type: GIT
Repo: https://github.com/metarhia/metacalc
Events: Introduced

0The exact introduced commit is unknown

Fixed

625c23d63eabfa16fc815f5832b147b08d2144bd

Affected versions

v0.*

v0.0.1