The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput)
where userControlledInput
is text that comes from user input.
This time, the security of the package could be bypassed by using a more complex payload, using a .constructor.constructor
technique.
Users should upgrade to version 1.1.2 of angular-expressions
A temporary workaround might be either to :
OR
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
var result = expressions.compile(userControlledInput);
}
else {
result = undefined;
}
Removal of angular-expression sandbox
If you have any questions or comments about this advisory:
The issue was reported by Maxime Nadeau from GoSecure, Inc.
CPE | Name | Operator | Version |
---|---|---|---|
angular-expressions | lt | 1.1.2 |
blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1
github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwq
nvd.nist.gov/vuln/detail/CVE-2021-21277
www.npmjs.com/package/angular-expressions