CVE-2024-54152 CRITICAL

CVE-2024-54152: Angular Expressions - Remote Code Execution when using locals

Vendor Peerigon
Product angular-expressions
Weakness CWE-94 · Code injection
Published December 10, 2024
Last update December 10, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.

Key dates

02Disclosure timeline

December 10, 2024 CVE published
December 10, 2024 Record updated