Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4aG0tOTZwcC0ybTQz

Remote Code Execution in Angular Expressions

Impact

The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.

Patches

Users should upgrade to version 1.0.1 of angular-expressions

Workarounds

A temporary workaround might be either to :

OR

if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
      var result = expressions.compile(userControlledInput);
}
else {
     result = undefined;
}

References

Removal of angular-expression sandbox

For more information

If you have any questions or comments about this advisory:

Credits

The issue was reported by Maxime Nadeau from GoSecure, Inc.

Permalink: https://github.com/advisories/GHSA-hxhm-96pp-2m43
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4aG0tOTZwcC0ybTQz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: almost 2 years ago


CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Percentage: 0.01031
EPSS Percentile: 0.83662

Identifiers: GHSA-hxhm-96pp-2m43, CVE-2020-5219
References: Repository: https://github.com/peerigon/angular-expressions
Blast Radius: 25.5

Affected Packages

npm:angular-expressions
Dependent packages: 85
Dependent repositories: 849
Downloads: 201,636 last month
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 1.0.0
All unaffected versions: 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3