CVE-2024-54152 Overview
CVE-2024-54152 is a critical sandbox escape vulnerability in Angular Expressions, a standalone module providing expressions functionality for the Angular.JS web framework. Prior to version 1.4.3, an attacker can craft a malicious expression that escapes the sandbox to execute arbitrary code on the system. This Code Injection vulnerability (CWE-94) allows unauthenticated remote attackers to achieve full arbitrary code execution through the network.
Critical Impact
Unauthenticated attackers can escape the Angular Expressions sandbox to gain full arbitrary code execution on affected systems, potentially leading to complete system compromise.
Affected Products
- Angular Expressions versions prior to 1.4.3
- Applications using the angular-expressions npm package (peerigon/angular-expressions)
- Web applications implementing Angular Expressions for template evaluation
Discovery Timeline
- 2024-12-10 - CVE-2024-54152 published to NVD
- 2024-12-10 - Last updated in NVD database
Technical Details for CVE-2024-54152
Vulnerability Analysis
This vulnerability represents a critical sandbox escape in Angular Expressions that allows attackers to break out of the intended expression evaluation context. The vulnerability stems from improper handling of __proto__ access within expressions, enabling attackers to manipulate the prototype chain and ultimately execute arbitrary code on the underlying system.
Angular Expressions implements a sandbox mechanism designed to safely evaluate user-provided expressions without exposing the underlying JavaScript runtime. However, this sandbox implementation contains a flaw that permits access to prototype manipulation, which can be leveraged to escape the restricted execution environment.
The attack can be executed remotely over the network with no authentication required and no user interaction necessary. A successful exploitation grants the attacker high-level access to confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability lies in insufficient restrictions on __proto__ access within the Angular Expressions sandbox. The expression evaluation mechanism fails to properly block prototype chain manipulation, allowing attackers to escape the sandbox boundaries. This implementation oversight enables malicious expressions to access objects and functions outside the intended sandbox scope.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious expression that leverages __proto__ access
- Submitting this expression to any endpoint that evaluates Angular Expressions
- The sandbox escape allows execution of arbitrary JavaScript
- With more complex payloads, full arbitrary code execution on the system is achievable
The vulnerability affects any application that uses Angular Expressions to evaluate user-controllable input. This is particularly dangerous in applications that allow users to provide template expressions or dynamic content that gets evaluated through the Angular Expressions library.
Detection Methods for CVE-2024-54152
Indicators of Compromise
- Unusual expressions containing __proto__ references in application logs
- Unexpected process spawning from web application contexts
- Anomalous outbound network connections from web server processes
- Evidence of prototype pollution attempts in request payloads
Detection Strategies
- Monitor application logs for expressions containing __proto__, constructor, or prototype keywords
- Implement Web Application Firewall (WAF) rules to detect and block prototype pollution patterns
- Review npm package dependencies for vulnerable versions of angular-expressions below 1.4.3
- Deploy runtime application self-protection (RASP) solutions to detect sandbox escape attempts
Monitoring Recommendations
- Enable verbose logging for Angular Expressions evaluation to capture suspicious input patterns
- Set up alerting for any JavaScript execution anomalies within the web application context
- Monitor for unexpected file system access or network activity from application processes
- Implement dependency scanning in CI/CD pipelines to detect vulnerable package versions
How to Mitigate CVE-2024-54152
Immediate Actions Required
- Upgrade Angular Expressions to version 1.4.3 or later immediately
- Audit applications to identify all instances using the angular-expressions package
- Restrict or sanitize user input that may be evaluated as expressions
- Consider temporarily disabling expression evaluation functionality until patching is complete
Patch Information
The vulnerability has been patched in version 1.4.3 of Angular Expressions. The fix is available through the GitHub commit. Organizations should update their npm dependencies to pull the patched version.
For detailed information about the vulnerability, refer to the GitHub Security Advisory.
Workarounds
- Disable access to __proto__ globally in the application environment
- Ensure the Angular Expressions function is called with only one argument to limit attack surface
- Implement strict input validation to reject expressions containing prototype-related keywords
- Deploy application-layer filtering to block malicious expression patterns before evaluation
# Update angular-expressions to patched version
npm update angular-expressions@1.4.3
# Verify installed version
npm list angular-expressions
# Alternative: audit for vulnerable packages
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
