Skip to main content

angular-expressions EUVDEUVD-2026-29078

| CVE-2026-44643 CRITICAL
Eval Injection (CWE-95)
2026-05-11 GitHub_M GHSA-pw8r-6689-xvf4
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
May 11, 2026 - 18:01 vuln.today
Analysis Generated
May 11, 2026 - 18:01 vuln.today
Patch available
May 11, 2026 - 17:17 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
9.3 (CRITICAL)
CVE Published
May 11, 2026 - 14:33 nvd
CRITICAL 9.3
CVE Published
May 11, 2026 - 14:33 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.

AnalysisAI

Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.

Technical ContextAI

angular-expressions is an npm package (maintained by peerigon) that extracts Angular.JS expression parsing and evaluation as a standalone module, commonly used in template engines and dynamic content rendering outside the Angular framework. The vulnerability stems from CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), specifically a sandbox escape through prototype pollution when processing filter expressions. The public exploit leverages '__proto__' filter references to break out of the intended execution context. When applications compile untrusted expressions using expressions.compile(), attackers can manipulate JavaScript object prototypes to gain unrestricted code execution beyond the sandbox boundaries designed to isolate expression evaluation from the underlying Node.js runtime.

RemediationAI

Vendor-released patch: Upgrade angular-expressions to version 1.5.2 or later via npm (npm update angular-expressions or package.json dependency update to ^1.5.2). Official patch details available in GitHub Advisory GHSA-pw8r-6689-xvf4 (https://github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4) and exploit reference at https://gist.github.com/alon710/8d25a2ec6d3cfd7d6115a0f90a1bb719 demonstrates the vulnerability mechanics. If immediate patching is infeasible: (1) Implement strict input validation rejecting any expressions containing 'proto', 'constructor', or other prototype-manipulation keywords (note: sophisticated attackers may bypass keyword filters via encoding or obfuscation), (2) Isolate expression compilation in sandboxed containers (VM2 or isolated-vm npm modules) with restricted permissions (trade-off: performance overhead and potential compatibility issues with existing code), (3) Disable filter support entirely if application logic permits (may break functionality relying on Angular.JS filter syntax). These mitigations are stopgap measures only - upgrade to 1.5.2 remains the definitive fix.

Share

EUVD-2026-29078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy