The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.
Users should upgrade to version 1.0.1 of angular-expressions
A temporary workaround might be either to :
OR
if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
var result = expressions.compile(userControlledInput);
}
else {
result = undefined;
}
Removal of angular-expression sandbox
If you have any questions or comments about this advisory:
* Open an issue in angular-expressions
* Email us
The issue was reported by Maxime Nadeau from GoSecure, Inc.
| Score | Percentile |
|---|---|
| 0.63% | 69.57% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-hxhm-96pp-2m43 ↗ |
| CVE | CVE-2020-5219 ↗ |
| CWE id | Name |
|---|---|
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | angular-expressions | < 1.0.1 | 1.0.1 | — |