Skip to content

Angular Expressions - Remote Code Execution

High
edi9999 published GHSA-hxhm-96pp-2m43 Jan 23, 2020

Package

npm angular-expressions (npm)

Affected versions

< 1.0.1

Patched versions

1.0.1

Description

Impact

The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.

  • If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput).
  • If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Patches

Users should upgrade to version 1.0.1 of angular-expressions

Workarounds

A temporary workaround might be either to :

  • disable user-controlled input that will be fed into angular-expressions in your application

OR

  • allow only following characters in the userControlledInput :
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
      var result = expressions.compile(userControlledInput);
}
else {
     result = undefined;
}

References

Removal of angular-expression sandbox

For more information

If you have any questions or comments about this advisory:

Credits

The issue was reported by Maxime Nadeau from GoSecure, Inc.

Severity

High

CVE ID

CVE-2020-5219

Weaknesses

No CWEs

Credits