Angular Expressions Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Angular Expressions versions prior to 1.4.3. The issue arises because an attacker can craft a malicious expression that escapes the sandbox environment, allowing arbitrary code execution on the system. This vulnerability can be exploited by using a complex, undisclosed payload. The vulnerability has been patched in version 1.4.3.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where Angular Expressions is used.

Reproduction

To reproduce this vulnerability, compile an expression that accesses the prototype chain, such as '__proto__.constructor', and execute it with an empty context and locals. This will bypass the sandbox and return the constructor function, which can then be used to execute arbitrary code.

Remediation

Users can update to Angular Expressions version 1.4.3 to address this vulnerability. If an immediate update is not possible, the compiled function can be used with just one argument to avoid the vulnerability, although this will forfeit the use of locals.