logo

Database

Server side template injection In angular-expressions

Description

Angular Expressions - Remote Code Execution when using locals

Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

Patches

The problem has been patched in version 1.4.3 of angular-expressions.

Workarounds

There is one workaround if it not possible for you to update :

    Make sure that you use the compiled function with just one argument : ie this is not vulnerable : const result = expressions.compile("__proto__.constructor")({}); : in this case you lose the feature of locals if you need it.

Credits

Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-541522. NVD-2024-541523. OSV-2024-541524. GHSA-5462-4vcx-jh7j5. GCVE-2024-54152

References

1. https://github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j2. https://github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef3. https://github.com/math-x-io/CVE-2024-54152-poc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.