TLDR : If your docxtemplater installation uses the angular parser, please upgrade angular-expressions to use version 1.5.2.
npm install --save angular-expressions@1.5.2
# Redeploy your code
This command and a restart of your application in production will ensure you are safe.
Angular-expressions is not a dependency of docxtemplater, but we give some examples of using this package in our docs : https://docxtemplater.com/docs/angular-parse/. You can check if you have angular-expressions installed by looking at your package.json in your dependencies.
While docxtemplater itself is not vulnerable, upgrading to v3.68.7 is recommended for a 'defense-in-depth' approach. This version:
- Uses the
{csp: true} option as a new default, adding a secondary security layer to mitigate potential risks.
- Provides improved compatibility when using
{csp: true} mode.
Summary
Today, on 7th May 2026 at 12:16 AM UTC+2, the "angular-expressions" module was patched to fix a vulnerability. This vulnerability is disclosed here as a GitHub Security Advisory : GHSA-pw8r-6689-xvf4.
A CVE number is expected to be assigned to this vulnerability shortly. We are currently awaiting confirmation from the GitHub validation team.
If you're using docxtemplater together with the angular-expressions module, you need to take immediate action and update your angular-expressions module to version 1.5.2.
The issue was in the "angular-expressions" package and allows Remote Code Execution.
The patched version of angular-expressions now blocks calls to unauthorized code.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if all below points are true :
- You are using the expressionParser (sometimes also called angular-parser) (package angular-expressions),
- You use the "docxtemplater/expressions.js" parser or your parser implementation calls angularParser.compile(tag)(scope)
- Your templates are created by users you can't trust.
To check if you use the angular-parser, look whether you are calling const doc = new Docxtemplater(zip, { parser: expressionParser}) and the function expressionParser uses the docxtemplater/expressions.js .
The vulnerability was reported by San Gil (https://securityoffice.io/)
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.5.2.
You are vulnerable if you use angular-expressions 1.5.1 or below.
To apply the patch, do :
npm install --save angular-expressions@1.5.2
Workarounds
If you can't upgrade to a newer angular-expressions, you can also fix the issue
without upgrading by either (each technical solution will workaround the issue, there's no need to apply the two fixes, but it adds another security layer) :
- Using
{csp: true} option in your expressionParser configuration.
// Workaround #1 : Code made safe even with angular-expressions@1.5.1
const doc = new Docxtemplater(zip, {
paragraphLoop: true,
linebreaks: true,
parser: expressionParser.configure({
csp: true,
})
});
doc.render({
first_name: "John",
last_name: "Doe",
phone: "0652455478",
description: "New Website",
});
- Allow only a subset of characters in the expressions :
// Workaround #2 : Code made safe even with angular-expressions@1.5.1
const merge = require("lodash/merge.js");
const expressions = require("angular-expressions");
function angularParser(tag) {
if (tag === ".") {
return {
get(s) {
return s;
},
};
}
tag = tag.replace(/(’|“|”|‘)/g, "'");
if (! /^[|a-zA-Z.0-9 :"'+-?]+$/.test(tag)) {
// Allow only trusted characters inside angular expressions
return {
get(s) {
return undefined;
},
};
}
const expr = expressions.compile(tag);
return {
get(scope, context) {
let obj = {};
const scopeList = context.scopeList;
const num = context.num;
for (let i = 0, len = num + 1; i < len; i++) {
obj = merge(obj, scopeList[i]);
}
return expr(scope, obj);
},
};
}
const doc = new Docxtemplater(zip, { parser: angularParser });
- Deactivating angular-parser, i.e. remove the
parser option in const doc = new Docxtemplater(zip, options) : this will break some templates that use angular features : {user.name}, {user.age > 18}, {hobby == "Football"}
References
[Angular Expressions advisory](GHSA-pw8r-6689-xvf4)
For more information
If you have any questions or comments about this advisory:
Detecting potential attacks
You could check the templates that were uploaded to your servers to see if someone tried to use the vulnerability. In order to find a template, you can search for templates that contain, within a {placeholder}, the string "constructor", or the string "return", or the string "process". In this case, it might be a payload, and you can send us the template privately for further analysis.
Credits
The vulnerability was found and reported by San Gil (https://securityoffice.io/)
TLDR : If your docxtemplater installation uses the angular parser, please upgrade angular-expressions to use version 1.5.2.
npm install --save angular-expressions@1.5.2 # Redeploy your codeThis command and a restart of your application in production will ensure you are safe.
Angular-expressions is not a dependency of docxtemplater, but we give some examples of using this package in our docs : https://docxtemplater.com/docs/angular-parse/. You can check if you have angular-expressions installed by looking at your package.json in your
dependencies.While docxtemplater itself is not vulnerable, upgrading to v3.68.7 is recommended for a 'defense-in-depth' approach. This version:
{csp: true}option as a new default, adding a secondary security layer to mitigate potential risks.{csp: true}mode.Summary
Today, on 7th May 2026 at 12:16 AM UTC+2, the "angular-expressions" module was patched to fix a vulnerability. This vulnerability is disclosed here as a GitHub Security Advisory : GHSA-pw8r-6689-xvf4.
A CVE number is expected to be assigned to this vulnerability shortly. We are currently awaiting confirmation from the GitHub validation team.
If you're using docxtemplater together with the angular-expressions module, you need to take immediate action and update your angular-expressions module to version 1.5.2.
The issue was in the "angular-expressions" package and allows Remote Code Execution.
The patched version of angular-expressions now blocks calls to unauthorized code.
Here is some docxtemplater specific information about the vulnerability :
Impact
The vulnerability allows Remote Code Execution.
You are impacted if all below points are true :
To check if you use the angular-parser, look whether you are calling
const doc = new Docxtemplater(zip, { parser: expressionParser})and the functionexpressionParseruses thedocxtemplater/expressions.js.The vulnerability was reported by San Gil (https://securityoffice.io/)
Patches
The vulnerability comes from "angular-expressions" and has been patched in version 1.5.2.
You are vulnerable if you use angular-expressions 1.5.1 or below.
To apply the patch, do :
Workarounds
If you can't upgrade to a newer angular-expressions, you can also fix the issue
without upgrading by either (each technical solution will workaround the issue, there's no need to apply the two fixes, but it adds another security layer) :
{csp: true}option in your expressionParser configuration.parseroption inconst doc = new Docxtemplater(zip, options): this will break some templates that use angular features :{user.name},{user.age > 18},{hobby == "Football"}References
[Angular Expressions advisory](GHSA-pw8r-6689-xvf4)
For more information
{csp:true}option).{csp:true}option).If you have any questions or comments about this advisory:
Detecting potential attacks
You could check the templates that were uploaded to your servers to see if someone tried to use the vulnerability. In order to find a template, you can search for templates that contain, within a {placeholder}, the string "constructor", or the string "return", or the string "process". In this case, it might be a payload, and you can send us the template privately for further analysis.
Credits
The vulnerability was found and reported by San Gil (https://securityoffice.io/)