Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docxtemplater vulnerability with angular parser - Remote Code Execution #488

edi9999 opened this issue Jan 23, 2020 · 0 comments

Docxtemplater vulnerability with angular parser - Remote Code Execution #488

edi9999 opened this issue Jan 23, 2020 · 0 comments


Copy link

@edi9999 edi9999 commented Jan 23, 2020

A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.

Here is some docxtemplater specific information about the vulnerability :


The vulnerability allows Remote Code Execution.

You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.

To check if you use the angular-parser, look whether you are calling doc.setOptions({parser: func}) and the function func uses the angular-expressions package.

The vulnerability was reported by GoSecure, Inc.


The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
You are vulnerable if you use angular-expressions 1.0.0 or below.

To apply the patch, do :

npm install --save angular-expressions@1.0.1


It is possible to fix the issue without upgrading by either :

  • deactivating angular-parser, i.e. remove the parser option in doc.setOptions({parser: ...})

  • allow only a subset of characters in the expressions :

   function angularParser(tag) {
      if (tag === ".") {
         return {
            get(s) {
               return s;
      tag = tag.replace(/(’|“|”|‘)/g, "'");
      if (! /^[|a-zA-Z.0-9 :"'+-?]+$/.test(tag)) {
          // Allow  only trusted characters inside angular expressions
          return {
            get(s) {
               return undefined;
      const expr = expressions.compile();
      return {
         get(scope, context) {
            let obj = {};
            const scopeList = context.scopeList;
            const num = context.num;
            for (let i = 0, len = num + 1; i < len; i++) {
                obj = merge(obj, scopeList[i]);
            return expr(scope, obj);

   doc.setOptions({parser: angularParser})


Angular Expressions advisory

For more information

If you have any questions or comments about this advisory:


The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

1 participant