CVE-2021-21277
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21277
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21277.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21277
- Aliases
- Related
- Published
- 2021-02-01T15:15:13Z
- Modified
- 2025-01-08T10:33:40.629844Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.
- References
-
- http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
- https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwq
- https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1
- https://www.npmjs.com/package/angular-expressions