CVE-2022-21122 – metacalc

Package

Manager: npm
Name: metacalc
Vulnerable Version: >=0 <0.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01564 pctl0.80809

Details

Code Injection in metacalc The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

Metadata

Created: 2022-06-09T00:00:29Z
Modified: 2022-06-20T22:01:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5gc4-cx9x-9c43/GHSA-5gc4-cx9x-9c43.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-5gc4-cx9x-9c43
Finding: F422
Auto approve: 1