Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5462-4vcx-jh7j: Angular Expressions - Remote Code Execution when using locals

Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

Patches

The problem has been patched in version 1.4.3 of angular-expressions.

Workarounds

There is one workaround if it not possible for you to update :

  • Make sure that you use the compiled function with just one argument : ie this is not vulnerable : const result = expressions.compile("__proto__.constructor")({}); : in this case you lose the feature of locals if you need it.

Credits

Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/

ghsa
Open in Source
#js#git#rce

Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require(“angular-expressions”); const result = expressions.compile(“__proto__.constructor”)({}, {}); // result should be undefined, however for versions <=1.4.2, it returns an object.

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

Patches

The problem has been patched in version 1.4.3 of angular-expressions.

Workarounds

There is one workaround if it not possible for you to update :

  • Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
    const result = expressions.compile("proto.constructor")({}); : in this case you lose the feature of locals if you need it.

Credits

Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/

References

  • GHSA-5462-4vcx-jh7j
  • peerigon/angular-expressions@97f7ad9

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability
ghsa