CVE-2017-16009
Description
ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ag-grid versions prior to a fix are vulnerable to Cross-site Scripting (XSS) via Angular expressions when used with AngularJS.
## Vulnerability ag-grid, an advanced data grid library, is vulnerable to Cross-site Scripting (XSS) via Angular expressions when AngularJS is used in combination with ag-grid [2]. The vulnerability exists because user input containing Angular expressions (e.g., {{constructor.constructor('alert(1)')()}}) is not sanitized before being processed by the AngularJS template engine [4]. This affects versions of ag-grid that do not include the fix for this issue; the exact affected version range is not specified in the available references, but the issue was reported in GitHub issue #1287 [4].
Exploitation
An attacker needs to inject a crafted Angular expression into data displayed in an ag-grid instance that uses AngularJS. No authentication or special network position is required if the application renders untrusted input in grid cells. The attack does not require user interaction beyond visiting the page. The attacker can bypass the AngularJS expression sandbox using known techniques [3]. The sequence involves providing input containing an Angular expression (e.g., `{{a='constructor';b='constructor';ab')())()}}`) that, when rendered by ag-grid within an AngularJS context, executes arbitrary JavaScript [3][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of sensitive data, session hijacking, defacement, or other malicious actions performed on behalf of the authenticated user [2]. The impact is the same as a typical stored or reflected XSS vulnerability, depending on how the application processes and displays user-supplied data.
Mitigation
The official fix is to upgrade ag-grid to a version that includes the patch for this issue. According to the GitHub issue [4], ag-grid already addressed HTML injection in a previous issue (#913) but this specific Angular expression injection required additional handling. The exact fixed version is not disclosed in the provided references. If upgrading is not immediately possible, application developers should ensure that any user-supplied data displayed in ag-grid is properly sanitized to remove or escape Angular expression syntax (double curly braces {{ and }}). Alternatively, avoid using AngularJS with ag-grid or use a Content Security Policy (CSP) that restricts script execution.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ag-gridnpm | <= 18.1.3-beta.1 | — |
Affected products
3- HackerOne/ag-grid node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-wfw3-rgfr-6g67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16009ghsaADVISORY
- github.com/ceolter/ag-grid/issues/1287ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/327mitrex_refsource_MISC
- spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xssghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.