CVE-2022-21122 — Code Injection in metacalc

Description

The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

How to fix CVE-2022-21122

To remediate CVE-2022-21122, upgrade the affected package to a fixed version below.

npm/metacalc—upgrade to 0.0.2 or later

Is CVE-2022-21122 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21122
PATCHgithub.com/metarhia/metacalc
WEBgithub.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
WEBgithub.com/metarhia/metacalc/pull/16
WEB