Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Patches
The problem has been patched in version 1.4.3 of angular-expressions.
Workarounds
There is one workaround if it not possible for you to update :
- Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
const result = expressions.compile("__proto__.constructor")({}); : in this case you lose the feature of locals if you need it.
Credits
Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/
JorianWoltjer Finder
Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Patches
The problem has been patched in version 1.4.3 of angular-expressions.
Workarounds
There is one workaround if it not possible for you to update :
const result = expressions.compile("__proto__.constructor")({});: in this case you lose the feature of locals if you need it.Credits
Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/