CVE-2022-21122: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

June 8, 2022 (updated June 17, 2022)

The package metacalc before 0.0.2 is vulnerable to Arbitrary Code Execution when it exposes JavaScript’s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript’s Function constructor.

References

github.com/advisories/GHSA-5gc4-cx9x-9c43
github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
github.com/metarhia/metacalc/pull/16
nvd.nist.gov/vuln/detail/CVE-2022-21122
snyk.io/vuln/SNYK-JS-METACALC-2826197

Code Behaviors & Features

Detect and mitigate CVE-2022-21122 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →