While bug hunting on LegalRobot, I discovered a privilege escalation bug in Meteor by abusing JavaScript's weak types.

I read a great blog post by @CapacitorSet and @denysvitali about discovering a RCE vulnerability in math.js, and I was inspired to find some vulnerabilities for myself.