CVE-2020-5219

Name of the Vulnerable Software and Affected Versions Angular Expressions versions prior to 1.0.1

Description The issue allows for remote code execution if expressions.compile(userControlledInput) is called where userControlledInput is text from user input. In a browser environment, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). On a server, an attacker could run any Javascript expression, thus gaining remote code execution.

Recommendations For versions prior to 1.0.1, upgrade to version 1.0.1 of angular-expressions. As a temporary workaround, consider disabling user-controlled input that will be fed into angular-expressions in your application. Alternatively, restrict userControlledInput to only allow specific characters by using a regular expression filter, such as if (/^[|a-zA-Z.0-9 :"+'-?]+$/.test(userControlledInput)).