Angular Expressions - Remote Code Execution using filters

Description

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Recommendation

Update the angular-expressions package to the latest compatible version. Followings are version details:

• Affected version(s): <= 1.5.1
• Patched version(s): 1.5.2

References

• GHSA-pw8r-6689-xvf4
• CVE-2026-44643
• CWE-95
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Angular Expressions - Remote Code Execution when using locals - CVE-2024-54152
• Remote Code Execution in Angular Expressions - CVE-2020-5219
• Angular Expressions - Remote Code Execution - CVE-2021-21277
• FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894

You might also like:

Security Testing of WebSites Using JavaScript

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

angular-expressions