Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01NDYyLTR2Y3gtamg3as4ABCOd

Angular Expressions - Remote Code Execution when using locals

Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

Patches

The problem has been patched in version 1.4.3 of angular-expressions.

Workarounds

There is one workaround if it not possible for you to update :

• Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
  const result = expressions.compile("__proto__.constructor")({}); : in this case you lose the feature of locals if you need it.

Credits

Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/

Permalink: https://github.com/advisories/GHSA-5462-4vcx-jh7j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NDYyLTR2Y3gtamg3as4ABCOd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 16 days ago
Updated: 16 days ago

EPSS Percentage: 0.00043
EPSS Percentile: 0.10788

Identifiers: GHSA-5462-4vcx-jh7j, CVE-2024-54152
References:

• https://github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j
• https://github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef
• https://nvd.nist.gov/vuln/detail/CVE-2024-54152
• https://github.com/advisories/GHSA-5462-4vcx-jh7j

Repository: https://github.com/peerigon/angular-expressions
Blast Radius: 0.0

Affected Packages