CVE-2021-21277

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.
Configurations

Configuration 1 (hide)

cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2021-02-01 15:15

Updated : 2024-02-28 18:08


NVD link : CVE-2021-21277

Mitre link : CVE-2021-21277

CVE.ORG link : CVE-2021-21277


JSON object : View

Products Affected

peerigon

  • angular-expressions
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')