Angular Expressions Remote Code Execution via Malicious Filter

The angular-expressions library, up to version 1.5.1, is vulnerable to remote code execution. This vulnerability, identified as CVE-2026-44643, allows an attacker to craft a malicious expression that escapes the sandbox environment of the library. By exploiting this flaw, an attacker can execute arbitrary code on the system where the vulnerable library is used. This poses a significant risk to applications utilizing angular-expressions for expression evaluation, potentially leading to complete system compromise. The vulnerability was discovered by San Gil from SecurityOffice. Version 1.5.2 of angular-expressions contains the fix.

Attack Chain

1. An attacker identifies an application using a vulnerable version (<= 1.5.1) of the angular-expressions library.
2. The attacker crafts a malicious expression designed to exploit the sandbox escape vulnerability.
3. The attacker injects the malicious expression into the application, potentially through user input or other application logic.
4. The application uses the expressions.compile() function to compile the malicious expression. For example: expressions.compile("a | __proto__")({}, {})
5. The vulnerable angular-expressions library fails to properly sanitize the expression, allowing it to bypass the sandbox restrictions.
6. The expression gains access to underlying JavaScript engine internals (e.g., __proto__).
7. The attacker leverages this access to execute arbitrary code on the server.
8. This arbitrary code execution could lead to complete compromise of the affected system, including data exfiltration, service disruption, or further lateral movement within the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system hosting the application utilizing the vulnerable angular-expressions library. This can lead to complete system compromise, including data exfiltration, installation of malware, or denial of service. The severity is critical due to the potential for unauthenticated remote code execution.

Recommendation

• Upgrade the angular-expressions library to version 1.5.2 or later to patch CVE-2026-44643.
• Deploy the Sigma rule Detect CVE-2026-44643 Exploitation — angular-expressions Sandbox Escape to detect attempts to exploit the vulnerability in web server logs.
• Implement input validation to prevent the injection of malicious expressions into applications using angular-expressions.
• Continuously monitor web server logs for suspicious activity related to expression compilation.