CVE-2022-21122: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(updated )
The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript’s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript’s Function constructor.
References
Detect and mitigate CVE-2022-21122 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →