angular-expressions Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the angular-expressions package, prior to version 1.1.2. This vulnerability allows an attacker to execute arbitrary code by passing user-controlled input to the expressions.compile() function. The issue can be exploited in both browser and server environments. In the browser, any script can be executed, while on the server, any JavaScript expression can be run, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server or execution of arbitrary scripts in the browser, depending on the environment in which angular-expressions is running.

Reproduction

The vulnerability can be reproduced by calling the expressions.compile() function with user-controlled input that includes a payload designed to bypass the package's security, such as one that exploits the .constructor.constructor technique.

Remediation

Users are advised to upgrade to version 1.1.2 of angular-expressions, which addresses the vulnerability by disallowing access to the prototype chain. For those unable to upgrade, a temporary workaround is to disable user-controlled input to angular-expressions or to sanitize the input by allowing only certain characters.