Lucene search
AnonymousNODEJS:1618HistoryFeb 23, 2021 - 2:02 a.m.
Remote Code Execution
2021-02-2302:02:11
Anonymous
www.npmjs.com
55
0.009 Low
EPSS
Percentile
82.9%
Overview
Affected versions of angular-expressions are affected by a remote code execution vulnerability.
Impact
If you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input you are potentially impacted.
The security of the package could be bypassed by using a more complex payload, using a .constructor.constructor technique.
- If running
angular-expressionsin the browser, an attacker could run any browser script when the application code callsexpressions.compile(userControlledInput). - If running
angular-expressionson the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.
Workarounds
A temporary workaround might be either to :
- disable user-controlled input that will be fed into
angular-expressionsin your application
OR
- allow only following characters in the userControlledInput :
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
var result = expressions.compile(userControlledInput);
}
else {
result = undefined;
}
Recommendation
Upgrade to version 1.1.2 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| angular-expressions | lt | 1.1.2 |
Related
prion
prion
Remote code execution
2021-02-01 15:15:00
cvelist
cvelist
CVE-2021-21277 Angular Expressions - Remote Code Execution
2021-02-01 15:05:24
github
github
Angular Expressions - Remote Code Execution
2021-02-01 15:01:26
cve
cve
CVE-2021-21277
2021-02-01 15:15:13
nvd
nvd
CVE-2021-21277
2021-02-01 15:15:13
osv
osv
Angular Expressions - Remote Code Execution
2021-02-01 15:01:26
veracode
veracode
Remote Code Execution (RCE)
2021-02-02 02:18:47