CVE-2024-54152

Name of the Vulnerable Software and Affected Versions: Angular Expressions versions prior to 1.4.3

Description: The issue is related to the incorrect management of code generation in the Angular Expressions module for the Angular.JS web framework. An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex payload, one can get full access to arbitrary code execution on the system.

Recommendations: For versions prior to 1.4.3, update to version 1.4.3 to resolve the issue. As a temporary workaround, consider disabling access to proto globally. Alternatively, make sure to use the compiled function with just one argument, for example: const result = expressions.compile(" proto .constructor")({});, although this will limit the feature of locals if needed.