CVE-2021-21277: angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 ...

Description

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.73%

84.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Peerigon	Angular-Expressions	< 1.1.2

References

http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.htmlBroken Link, Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1Patch, Third Party Advisory
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwqVendor Advisory
https://www.npmjs.com/package/angular-expressionsProduct
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.htmlBroken Link, Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1Patch, Third Party Advisory
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwqVendor Advisory
https://www.npmjs.com/package/angular-expressionsProduct

Timeline

Published: Feb 1, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21277?

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

How severe is CVE-2021-21277?

CVE-2021-21277 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 2.73% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21277?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.