CVE-2020-5219: Injection Vulnerability

January 24, 2020 (updated January 31, 2020)

Angular Expressions has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

References

blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
nvd.nist.gov/vuln/detail/CVE-2020-5219

Detect and mitigate CVE-2020-5219 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →