CVE-2020-5219: Remote Code Execution in Angular Expressions
8.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69421%
CWE
Published
1/24/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
angular-expressions | npm | < 1.0.1 | 1.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly occurs when user-controlled input is passed to expressions.compile()
. Angular-expressions' compile function did not properly restrict access to the prototype chain or dangerous JS objects prior to v1.0.1, enabling RCE through expressions like constructor.constructor('alert(1)')()
. The advisory directly links the vulnerability to this function, and the patch focused on adding prototype access restrictions in the compilation process.