Affected versions of angular-expressions
are affected by a remote code execution vulnerability.
If you call expressions.compile(userControlledInput)
where userControlledInput
is text that comes from user input you are potentially impacted.
The security of the package could be bypassed by using a more complex payload, using a .constructor.constructor
technique.
angular-expressions
in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput)
.angular-expressions
on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.A temporary workaround might be either to :
angular-expressions
in your applicationOR
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
var result = expressions.compile(userControlledInput);
}
else {
result = undefined;
}
Upgrade to version 1.1.2 or later.
CPE | Name | Operator | Version |
---|---|---|---|
angular-expressions | lt | 1.1.2 |