GHSA-pw8r-6689-xvf4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pw8r-6689-xvf4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pw8r-6689-xvf4/GHSA-pw8r-6689-xvf4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pw8r-6689-xvf4
- Aliases
-
- CVE-2026-44643
- Published
- 2026-05-11T16:20:58Z
- Modified
- 2026-05-13T14:01:28.537863Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Angular Expressions - Remote Code Execution using filters
- Details
-
Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions"); const result = expressions.compile("a | __proto__")({}, {});This should throw the error : Filter 'proto' is not defined, however, this shows :
Uncaught SyntaxError: Unexpected identifier 'Object'
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Vulnerable versions :
angular-expressions <= 1.5.1
Patches
The problem has been patched in version 1.5.2 of angular-expressions.
Credits
Credits go to San Gil from www.securityoffice.io who has found the issue and reported it to us.
- Database specific
{ "github_reviewed_at": "2026-05-11T16:20:58Z", "github_reviewed": true, "severity": "CRITICAL", "nvd_published_at": "2026-05-11T16:17:36Z", "cwe_ids": [ "CWE-95" ] }- References
Affected packages
npm / angular-expressions
Package
- Name
- angular-expressions
- View open source insights on deps.dev
- Purl
- pkg:npm/angular-expressions