CVE-2022-21122 Vulnerability in npm package metacalc

Description

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

Remediation

References

https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd

https://github.com/metarhia/metacalc/pull/16

https://snyk.io/vuln/SNYK-JS-METACALC-2826197

Related Vulnerabilities

CVE-2022-21169 Vulnerability in npm package express-xss-sanitizer

CVE-2022-39202 Vulnerability in npm package matrix-appservice-irc

CVE-2021-21316 Vulnerability in npm package less-openui5

CVE-2021-27516 Vulnerability in maven package org.webjars.npm:urijs

CVE-2020-11988 Vulnerability in maven package org.apache.xmlgraphics:xmlgraphics-commons

Severity

Critical

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H