CVE-2021-21277

Name of the Vulnerable Software and Affected Versions: angular-expressions versions prior to 1.1.2

Description: The issue allows Remote Code Execution if expressions.compile(userControlledInput) is called where userControlledInput is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a .constructor.constructor technique. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Recommendations: To resolve the issue, upgrade to version 1.1.2 of angular-expressions. As a temporary workaround, consider disabling user-controlled input that will be fed into angular-expressions in your application. Alternatively, restrict the userControlledInput to only allow specific characters, such as those matching the regex /^[|a-zA-Z.0-9 :"'+-?]+$/.