CVE-2024-21490 - AngularJS Regular Expression Denial of Service (ReDoS)

Overview

AngularJS is a JavaScript-based open-source front-end web framework for developing single-page applications.

A Regular Expression Denial of Service (ReDoS) vulnerability has been identified within AngularJS.

Per OWASP: ReDoS attacks exploit regular expression implementations that may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.

Details

Module Info

• Package manager: npm
• Affected module: angular
• Affected versions: >=v1.3.0
• Link to published package: https://www.npmjs.com/package/angular
• Github repo: https://github.com/angular/angular.js

Vulnerability Info

A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service of the application, also known as a ReDoS attack.

Steps to Reproduce

The vulnerability manifests itself when the ng-srcset attribute of an element (usually an <img> element) is filled with a value consisting of two or more URLs separated by many spaces (for example, http://examples.com/image.png 2x, ... http://example.com/image.png):

<img ng-srcset="valueWithManySpaces"/>

Proof of Concept

https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos

Remediation

AngularJS is end-of-life, though commercial support is available from HeroDevs. This vulnerability has been addressed in a patch by HeroDevs.

References

• https://github.com/angular/angular.js/security/policy
• https://www.herodevs.com/blog-posts/addressing-the-latest-angularjs-cve-2024-21490
• https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113