logo

Database

Remote command execution In angular-expressions

Description

Angular Expressions - Remote Code Execution using filters

Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});

This should throw the error : Filter 'proto' is not defined, however, this shows :

Uncaught SyntaxError: Unexpected identifier 'Object'

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

Vulnerable versions :

angular-expressions <= 1.5.1

Patches

The problem has been patched in version 1.5.2 of angular-expressions.

Credits

Credits go to San Gil from www.securityoffice.io who has found the issue and reported it to us.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-446432. NVD-2026-446433. OSV-2026-446434. GHSA-pw8r-6689-xvf45. GCVE-2026-44643

References

1. https://github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.