CVE-2024-54152

CRITICAL

Angular Expressions < 1.4.3 - Remote Code Execution via Sandbox Escape

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-54152. PoCs published by math-x-io.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2024-54152, demonstrating arbitrary code execution via Angular Expressions sandbox escape. The PoC includes a vulnerable Node.js application and scripts in Go and Python to exploit it.

Description

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.

Exploits (1)

nomisec WORKING POC 13 stars

by math-x-io · poc

https://github.com/math-x-io/CVE-2024-54152-poc

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2024-54152, demonstrating arbitrary code execution via Angular Expressions sandbox escape. The PoC includes a vulnerable Node.js application and scripts in Go and Python to exploit it.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Angular Expressions < 1.4.3

No auth needed

Prerequisites: Vulnerable version of Angular Expressions (< 1.4.3) · Access to the `/parse` endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j

Patch x_refsource_misc

https://github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef

View Patch ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.3031

EPSS Percentile 96.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

npm/angular-expressions 0 - 1.4.3npm

peerigon/angular-expressions < 1.4.3

Published Dec 10, 2024

Tracked Since Feb 18, 2026