angular-expressions is angulars nicest part extracted as a standalone module for the browser and node. In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a .constructor.constructor technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Angular-expressions | Peerigon | * | 1.1.2 (excluding) |