Angular Expressions - Remote Code Execution
CVE-2021-21277

8.5HIGH

Key Information:

Vendor

Peerigon

Status
Angular-expressions
Vendor
CVE Published:
1 February 2021

What is CVE-2021-21277?

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

Affected Version(s)

angular-expressions < 1.1.2

References

https://github.com/peerigon/angular-expressions/security/...
x_refsource_CONFIRM
https://www.npmjs.com/package/angular-expressions
x_refsource_MISC
http://blog.angularjs.org/2016/09/angular-16-expression-s...
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.