CVE-2021-21277

Injection Vulnerability in npm/angular-expressions

Identifier

CVE-2021-21277

Package Slug

npm/angular-expressions

Vulnerability

Injection Vulnerability

Description

In angular-expressions there is a vulnerability which allows Remote Code Execution if you call expressions.compile(userControlledInput) where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a constructor.constructor technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

Affected Versions

All versions before 1.1.2

Solution

Upgrade to version 1.1.2 or above.

Last Modified

2021-02-09

source