平台
nodejs
组件
angular-expressions
修复版本
1.4.4
1.4.3
CVE-2024-54152 is a critical Remote Code Execution (RCE) vulnerability affecting the angular-expressions Node.js package. This vulnerability allows an attacker to craft malicious expressions that bypass the intended sandbox, leading to arbitrary code execution on the system. Versions of angular-expressions prior to 1.4.3 are vulnerable, and a patch has been released to address this issue.
The impact of CVE-2024-54152 is severe. An attacker can leverage this vulnerability to execute arbitrary code on the server hosting the application utilizing the vulnerable angular-expressions package. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The disclosed example demonstrates how a simple expression can already bypass the sandbox, suggesting that more complex and stealthy payloads are possible. The potential blast radius extends to any sensitive data processed or stored by the application, as well as any other systems accessible from the compromised server.
CVE-2024-54152 was publicly disclosed on December 10, 2024. The vulnerability's simplicity and the potential for easy exploitation suggest a medium probability of exploitation (EPSS score likely medium). While no public exploits have been widely reported, the ease of crafting malicious expressions makes it a likely target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Applications built with Node.js that utilize the angular-expressions package, particularly those that dynamically generate expressions from user input, are at significant risk. This includes web applications, APIs, and backend services that rely on this package for expression parsing. Developers who have not recently reviewed their dependencies are also at increased risk.
• nodejs / supply-chain:
npm list angular-expressions• nodejs / supply-chain:
npm audit angular-expressions• generic web:
Inspect application code for instances where user input is directly used within expressions passed to the angular-expressions package. Look for code patterns that construct expressions dynamically from user-controlled data.
disclosure
漏洞利用状态
EPSS
15.82% (95% 百分位)
CISA SSVC
The primary mitigation for CVE-2024-54152 is to immediately upgrade the angular-expressions package to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization on any user-supplied expressions passed to the angular-expressions package. While not a complete solution, this can reduce the attack surface. Review application code for any instances where user input is directly used within expressions. There are no specific WAF rules or detection signatures readily available, so focus on code-level fixes and input validation.
Actualice la biblioteca angular-expressions a la versión 1.4.3 o superior. Como alternativa, deshabilite el acceso a `__proto__` globalmente o asegúrese de usar la función con un solo argumento.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-54152 is a critical Remote Code Execution vulnerability in the angular-expressions Node.js package, allowing attackers to execute arbitrary code by crafting malicious expressions.
You are affected if your Node.js application uses angular-expressions versions 1.4.2 or earlier. Check your project dependencies immediately.
Upgrade the angular-expressions package to version 1.4.3 or later using npm or yarn. If upgrading is not possible, implement strict input validation.
While no widespread exploitation has been confirmed, the vulnerability's simplicity makes it a likely target, so vigilance is advised.
Refer to the npm advisory and related security announcements for the latest information: [https://www.npmjs.com/advisories/1732](https://www.npmjs.com/advisories/1732)