8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5219

GHSA ID

GHSA-hxhm-96pp-2m43

EPSS Score

0.69421%

CWE

CWE-74

Published

1/24/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5219

CVE-2020-5219: Remote Code Execution in Angular Expressions

Impact

The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.

If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput).
If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Patches

Users should upgrade to version 1.0.1 of angular-expressions

Workarounds

A temporary workaround might be either to :

disable user-controlled input that will be fed into angular-expressions in your application

allow only following characters in the userControlledInput :

if (/^[|a-zA-Z.0-9 :"'+-?]+$/.test(userControlledInput)) {
      var result = expressions.compile(userControlledInput);
}
else {
     result = undefined;
}

References

Removal of angular-expression sandbox

For more information

If you have any questions or comments about this advisory:

Open an issue in angular-expressions
Email us

Credits

The issue was reported by Maxime Nadeau from GoSecure, Inc.

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5219

GHSA ID

GHSA-hxhm-96pp-2m43

EPSS Score

0.69421%

CWE

CWE-74

Published

1/24/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
angular-expressions	npm	< 1.0.1	1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly occurs when user-controlled input is passed to expressions.compile(). Angular-expressions' compile function did not properly restrict access to the prototype chain or dangerous JS objects prior to v1.0.1, enabling RCE through expressions like constructor.constructor('alert(1)')(). The advisory directly links the vulnerability to this function, and the patch focused on adding prototype access restrictions in the compilation process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility, r*port** *y *oS**ur* In*, *llows R*mot* *o** *x**ution, i* you **ll `*xpr*ssions.*ompil*(us*r*ontroll**Input)` w**r* `us*r*ontroll**Input` is t*xt t**t *om*s *rom us*r input. * I* runnin* *n*ul*r-*xpr*ssions in t** *ro

Reasoning

T** vuln*r**ility *xpli*itly o**urs w**n us*r-*ontroll** input is p*ss** to `*xpr*ssions.*ompil*()`. *n*ul*r-*xpr*ssions' *ompil* *un*tion *i* not prop*rly r*stri*t ****ss to t** prototyp* ***in or **n**rous JS o*j**ts prior to v*.*.*, *n**lin* R** t

8.7

Basic Information

Concerned about an active attack path?

CVE-2020-5219: Remote Code Execution in Angular Expressions

Impact

Patches

Workarounds

References

For more information

Credits

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI