Arbitrary Code Execution Affecting angularjs.core package, versions [,1.3.0)

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    23 Jan 2017

  • disclosed

    7 Jun 2014

  • credit

    Jann Horn

How to fix?

Upgrade AngularJS.Core to version 1.3.0 or higher.


AngularJS.Core is an AngularJS.* package for other Angular modules within .NET.

Affected versions of this package are vulnerable to Arbitrary Code Execution. $parse allowed arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:

  • Application mixes server-side and client-side templating
  • The server-side templating contains XSS vulnerabilities
  • The vulnerabilities in the server-side templating are being guarded by server-side XSS filters or on the client-side via CSP
  • The server-side XSS vulnerabilities can be used to augment the client-side template processed by Angular

Applications not meeting all of the conditions are not vulnerable.