Description
The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.
This time, the security of the package could be bypassed by using a more complex payload, using a .constructor.constructor technique.
Recommendation
Update the angular-expressions package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.2
- Patched version(s): 1.1.2
References
- GHSA-j6px-jwvv-vpwq
- www.npmjs.com
- blog.angularjs.org
- CVE-2021-21277
- CWE-74
- CWE-94
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Remote Code Execution in Angular Expressions - CVE-2020-5219
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- lite-server vulnerable to Denial of Service - CVE-2022-25940
- Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
- Tags:
- npm
- angular-expressions
Anything's wrong? Let us know Last updated on February 01, 2023