CVE-2024-54152
published 2024-12-10CVE-2024-54152: Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious…
PriorityP260critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
2.26%
80.8th percentile
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peerigon | angular-expressions | < 1.4.3 | 1.4.3 |
| peerigon | angular-expressions | >= 0 < 1.4.3 | 1.4.3 |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Angular Expressions - Remote Code Execution when using locals
ghsa·2024-12-10
CVE-2024-54152 [CRITICAL] CWE-94 Angular Expressions - Remote Code Execution when using locals
Angular Expressions - Remote Code Execution when using locals
### Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
```js
const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.
```
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
### Patches
The problem has been patched in version 1.4.3 of angular-expressions.
### Workarounds
There is one workaround if it not possible for you to update :
* Make sure that you use the compiled function with just one argument : ie this is not vulner
OSV
CVE-2024-54152: Angular Expressions provides expressions for the Angular
osv·2024-12-10·CVSS 9.3
CVE-2024-54152 [CRITICAL] CVE-2024-54152: Angular Expressions provides expressions for the Angular
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.
OSV
Angular Expressions - Remote Code Execution when using locals
osv·2024-12-10
CVE-2024-54152 [CRITICAL] Angular Expressions - Remote Code Execution when using locals
Angular Expressions - Remote Code Execution when using locals
### Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
```js
const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.
```
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
### Patches
The problem has been patched in version 1.4.3 of angular-expressions.
### Workarounds
There is one workaround if it not possible for you to update :
* Make sure that you use the compiled function with just one argument : ie this is not vulner
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-10
Published