GHSA-5462-4vcx-jh7j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5462-4vcx-jh7j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5462-4vcx-jh7j/GHSA-5462-4vcx-jh7j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5462-4vcx-jh7j
- Aliases
- Published
- 2024-12-10T16:54:50Z
- Modified
- 2024-12-10T20:59:46Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Angular Expressions - Remote Code Execution when using locals
- Details
-
Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions"); const result = expressions.compile("__proto__.constructor")({}, {}); // result should be undefined, however for versions <=1.4.2, it returns an object.With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Patches
The problem has been patched in version 1.4.3 of angular-expressions.
Workarounds
There is one workaround if it not possible for you to update :
- Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
const result = expressions.compile("__proto__.constructor")({});: in this case you lose the feature of locals if you need it.
Credits
Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/
- Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
- Database specific
{ "nvd_published_at": "2024-12-10T16:15:23Z", "cwe_ids": [ "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-12-10T16:54:50Z" }- References
Affected packages
npm / angular-expressions
Package
- Name
- angular-expressions
- View open source insights on deps.dev
- Purl
- pkg:npm/angular-expressions