A critical security vulnerability in Angular Expressions, a standalone module for the Angular.JS web framework, has been discovered, potentially allowing attackers to execute arbitrary code and gain full system access.
The vulnerability, identified as CVE-2024-54152, affects versions prior to 1.4.3 and has been assigned a CVSS base score of 9.3, indicating its severe nature.
The flaw, categorized as CWE-94: Improper Control of Generation of Code (‘Code Injection’), enables malicious actors to craft expressions that can escape the sandbox environment and execute arbitrary code on the underlying system.
This poses a significant threat to the confidentiality, integrity, and availability of affected systems, as attackers could potentially gain unauthorized control over compromised machines.
Angular Expressions PoC Vulnerability
Security researchers have demonstrated the impact of vulnerability through a proof-of-concept (PoC) exploit. The PoC involves a simple Node.js application using the vulnerable version of Angular Expressions, which exposes an endpoint that evaluates user-provided expressions.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
When a malicious payload is sent to this endpoint, it results in the execution of arbitrary commands, such as the “id” command, clearly illustrating the severity of the issue.
The vulnerability stems from the ability to manipulate the “proto” property, allowing attackers to break out of the intended sandbox and access the underlying system. This highlights the importance of proper input validation and the dangers of executing untrusted code within supposedly secure environments.
Peerigon, the maintainer of Angular Expressions, has addressed the vulnerability in version 1.4.3. Organizations and developers using affected versions are strongly urged to upgrade immediately to mitigate the risk. For those unable to update immediately, two workarounds have been suggested:
- Disable access to the “proto” function globally.
- Ensure that the vulnerable function is used with only one argument.
The discovery of this vulnerability serves as a reminder of the ongoing challenges in web application security. It underscores the importance of regular security audits, prompt patching, and the principle of least privilege in software development.
As the exploit code is now publicly available, it’s crucial for organizations to act swiftly to protect their systems. The Centre for Cybersecurity Belgium recommends that organizations enhance their monitoring and detection capabilities to identify any suspicious activities related to this vulnerability.
While patching remains the most effective solution, it’s important to note that updating to the latest version does not remediate any potential historic compromises. Therefore, thorough system audits are advised for any organization that may have been exposed to this vulnerability.
This incident highlights the critical need for developers and organizations to stay vigilant, keep their dependencies up-to-date, and implement robust security practices to protect against emerging threats in the ever-evolving web application security landscape.