CVE-2022-21122

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/metacalc

Identifiers

CVE-2022-21122, GHSA-5gc4-cx9x-9c43

Package Slug

npm/metacalc

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

Affected Versions

All versions before 0.0.2

Solution

Upgrade to version 0.0.2 or above.

Last Modified

2022-06-10

source