GHSA-5gc4-cx9x-9c43

Source

https://github.com/advisories/GHSA-5gc4-cx9x-9c43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5gc4-cx9x-9c43/GHSA-5gc4-cx9x-9c43.json

Aliases

CVE-2022-21122
SNYK-JS-METACALC-2826197

Published

2022-06-09T00:00:29Z

Modified

2023-11-08T04:08:03.978012Z

Details

The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-21122
https://github.com/metarhia/metacalc/pull/16
https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
https://github.com/metarhia/metacalc
https://snyk.io/vuln/SNYK-JS-METACALC-2826197

Affected packages

npm / metacalc

Package

Name: metacalc

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.0.2