Miggo Logo

CVE-2020-5219: Remote Code Execution in Angular Expressions

8.7

CVSS Score
3.1

Basic Information

EPSS Score
0.69421%
Published
1/24/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
angular-expressionsnpm< 1.0.11.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly occurs when user-controlled input is passed to expressions.compile(). Angular-expressions' compile function did not properly restrict access to the prototype chain or dangerous JS objects prior to v1.0.1, enabling RCE through expressions like constructor.constructor('alert(1)')(). The advisory directly links the vulnerability to this function, and the patch focused on adding prototype access restrictions in the compilation process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility, r*port** *y *oS**ur* In*, *llows R*mot* *o** *x**ution, i* you **ll `*xpr*ssions.*ompil*(us*r*ontroll**Input)` w**r* `us*r*ontroll**Input` is t*xt t**t *om*s *rom us*r input. * I* runnin* *n*ul*r-*xpr*ssions in t** *ro

Reasoning

T** vuln*r**ility *xpli*itly o**urs w**n us*r-*ontroll** input is p*ss** to `*xpr*ssions.*ompil*()`. *n*ul*r-*xpr*ssions' *ompil* *un*tion *i* not prop*rly r*stri*t ****ss to t** prototyp* ***in or **n**rous JS o*j**ts prior to v*.*.*, *n**lin* R** t