CVE-2022-21122: 
JavaScript vulnerability analysis and mitigation

CVE-2022-21122 affects the metacalc package versions before 0.0.2. The vulnerability was discovered on May 17, 2022, and publicly disclosed on May 30, 2022. This security issue involves arbitrary code execution vulnerability in the JavaScript Math class exposure to the v8 context (Snyk Advisory).

The vulnerability occurs when the package exposes JavaScript's Math class to the v8 context. Since the Math class is exposed to user-land, it can be exploited to gain access to JavaScript's Function constructor, enabling arbitrary code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H according to NVD, while Snyk rates it with a CVSS score of 9.0 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

A successful exploitation of this vulnerability can result in complete compromise of the affected system, allowing attackers to execute arbitrary code. This could lead to total loss of confidentiality, integrity, and availability of the affected system. The vulnerability enables attackers to access sensitive information, modify data, and potentially gain full control of the system (Snyk Advisory).

The vulnerability has been fixed in version 0.0.2 of the metacalc package. Users should upgrade to this version or later to mitigate the risk. The fix involves implementing proper access controls on the Math class to prevent arbitrary code execution (GitHub Commit).

The vulnerability was responsibly disclosed and addressed through GitHub pull request #16. The fix was reviewed and approved by security researchers, with multiple iterations of improvements to ensure the security issue was properly addressed (GitHub PR).