CVE-2021-21277
published 2021-02-01CVE-2021-21277: angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.73%
84.2th percentile
angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peerigon | angular-expressions | < 1.1.2 | 1.1.2 |
| peerigon | angular-expressions | >= 0 < 1.1.2 | 1.1.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Angular Expressions - Remote Code Execution
osv·2021-02-01
CVE-2021-21277 [HIGH] Angular Expressions - Remote Code Execution
Angular Expressions - Remote Code Execution
### Impact
The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call `expressions.compile(userControlledInput)` where `userControlledInput` is text that comes from user input.
This time, the security of the package could be bypassed by using a more complex payload, using a `.constructor.constructor` technique.
* If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput).
* If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.
### Patches
Users should upgrade to version 1.1.2 of angular-expressions
### Workarounds
A temporary workaroun
GHSA
Angular Expressions - Remote Code Execution
ghsa·2021-02-01
CVE-2021-21277 [HIGH] CWE-74 Angular Expressions - Remote Code Execution
Angular Expressions - Remote Code Execution
### Impact
The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call `expressions.compile(userControlledInput)` where `userControlledInput` is text that comes from user input.
This time, the security of the package could be bypassed by using a more complex payload, using a `.constructor.constructor` technique.
* If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput).
* If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.
### Patches
Users should upgrade to version 1.1.2 of angular-expressions
### Workarounds
A temporary workaroun
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.htmlhttps://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwqhttps://www.npmjs.com/package/angular-expressionshttp://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.htmlhttps://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwqhttps://www.npmjs.com/package/angular-expressions
2021-02-01
Published