Angular Expressions Sandbox Escape CVE-2026-44643 Allows RCE

Executive Summary

A critical sandbox escape vulnerability, tracked as CVE-2026-44643, has been disclosed in the angular-expressions library — a standalone module that provides Angular.JS expression parsing outside of the full Angular framework. Versions prior to 1.5.2 allow an attacker to craft a malicious expression using filters that breaks out of the intended sandbox and executes arbitrary code on the underlying system. The maintainers released version 1.5.2 to address the flaw. The vulnerability was reported via the project's GitHub security advisory channel; no CVSS score has been published as of this writing.

Technical Analysis

The angular-expressions library is used by developers who need Angular.JS-style template expressions (e.g., {{ expression | filter }}) in non-browser environments such as Node.js or server-side rendering pipelines. The sandbox is designed to restrict expression evaluation to safe property access and function calls, preventing access to dangerous globals like process, require, or eval.

According to the advisory published on the project's GitHub repository, the sandbox enforcement fails when expressions include filters — a feature that chains value transformations. An attacker can supply a filter expression that, during evaluation, escapes the sandbox context and gains access to the full JavaScript runtime. The advisory states: "an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system."

The exact mechanism of the escape is not detailed in the public advisory, but similar Angular.JS sandbox escapes historically exploit the fact that filter functions are resolved against the global scope or prototype chain, allowing an attacker to access constructors like Function or eval through property traversal. The fix in version 1.5.2 likely restricts filter resolution to a whitelist or applies stricter context isolation.

Importantly, this vulnerability affects any application that uses angular-expressions to evaluate user-supplied or untrusted expressions. Common use cases include configuration engines, low-code platforms, and server-side rendering frameworks where user-defined templates are processed. Because the library is often used in Node.js environments, a successful exploit could lead to full server compromise — arbitrary file read/write, data exfiltration, or lateral movement.

Mitigations & Recommendations

All users of angular-expressions should upgrade to version 1.5.2 immediately. The advisory confirms that the fix is included in this release, and no workarounds are documented. Defenders should:

• Identify all applications and services that depend on angular-expressions by scanning package.json or lock files for the package name.
• Update to 1.5.2 using npm install [email protected] or equivalent.
• Review any code paths where user-supplied expressions are passed to the library — even after patching, avoid evaluating untrusted expressions where possible.
• Monitor for signs of post-exploitation activity (unexpected outbound connections, file modifications) on servers that previously ran vulnerable versions.

No CVSS score has been assigned yet, but given the sandbox escape leads to arbitrary code execution, the severity is likely Critical (CVSS 9.0–10.0) once scored.