CVE-2024-54152: Angular Expressions - Remote Code Execution when using locals

December 10, 2024

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

References

github.com/advisories/GHSA-5462-4vcx-jh7j
github.com/peerigon/angular-expressions
github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef
github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j
nvd.nist.gov/vuln/detail/CVE-2024-54152

Detect and mitigate CVE-2024-54152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →