CVE-2026-44643: CVE-2026-44643: Sandbox Escape and Remote Code Execution in angular-expressions

#security #cve #cybersecurity

CVE-2026-44643: Sandbox Escape and Remote Code Execution in angular-expressions

Vulnerability ID: CVE-2026-44643
CVSS Score: 9.3
Published: 2026-05-11

CVE-2026-44643 is a critical sandbox escape vulnerability in the peerigon/angular-expressions library. The flaw permits unauthenticated remote code execution via prototype traversal and improper validation of filter expressions. By crafting specific malicious inputs, attackers can access the global Function constructor.

TL;DR

A critical sandbox escape in angular-expressions < 1.5.2 allows RCE via prototype traversal in malicious filter definitions.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-95
CVSS v4.0: 9.3
Attack Vector: Network
Impact: Remote Code Execution (RCE)
Privileges Required: None
CISA KEV Status: Not Listed

Affected Systems

Node.js environments utilizing peerigon/angular-expressions
Browser applications relying on client-side expression evaluation
angular-expressions: < 1.5.2 (Fixed in: 1.5.2)

Mitigation Strategies

Upgrade Library
Runtime Hardening
Input Validation
Content Security Policy

Remediation Steps:

Update package.json to require angular-expressions version 1.5.2 or higher.
Execute 'npm install' or 'yarn install' to pull the patched dependency into the build environment.
Deploy the updated application to production environments.
Modify the Node.js startup command to include the '--disable-proto=delete' flag.
Implement application-level filtering to reject strings containing 'constructor' or 'proto'.

References

Read the full report for CVE-2026-44643 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community