GHSA-PW8R-6689-XVF4
Vulnerability from github – Published: 2026-05-11 16:20 – Updated: 2026-05-13 13:53
VLAI?
Summary
Angular Expressions - Remote Code Execution using filters
Details
Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});
This should throw the error : Filter 'proto' is not defined, however, this shows :
Uncaught SyntaxError: Unexpected identifier 'Object'
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Vulnerable versions :
angular-expressions <= 1.5.1
Patches
The problem has been patched in version 1.5.2 of angular-expressions.
Credits
Credits go to San Gil from www.securityoffice.io who has found the issue and reported it to us.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.1"
},
"package": {
"ecosystem": "npm",
"name": "angular-expressions"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44643"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:20:58Z",
"nvd_published_at": "2026-05-11T16:17:36Z",
"severity": "CRITICAL"
},
"details": "## Impact\n\nAn attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.\n\nExample of vulnerable code:\n\n```\nconst expressions = require(\"angular-expressions\");\nconst result = expressions.compile(\"a | __proto__\")({}, {});\n```\n\nThis should throw the error : Filter \u0027__proto__\u0027 is not defined, however, this shows : \n\nUncaught SyntaxError: Unexpected identifier \u0027Object\u0027\n\nWith a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.\n\n## Vulnerable versions : \n\nangular-expressions \u003c= 1.5.1\n\n## Patches\n\nThe problem has been patched in version 1.5.2 of angular-expressions.\n\n## Credits\n\nCredits go to San Gil from [www.securityoffice.io](https://securityoffice.io/) who has found the issue and reported it to us.",
"id": "GHSA-pw8r-6689-xvf4",
"modified": "2026-05-13T13:53:12Z",
"published": "2026-05-11T16:20:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44643"
},
{
"type": "PACKAGE",
"url": "https://github.com/peerigon/angular-expressions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular Expressions - Remote Code Execution using filters"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…