The merge() function in AngularJS, which is used to combine multiple objects into a single, new object, is vulnerable to this High-level vulnerability. The command can be used to add or modify the properties of Object.prototype.
Javascript allows all properties of an object to be merged, including the magic properties __proto__, constructor and prototype. Specifically with this exploit, it’s possible to merge a __proto__ property thereby altering the Object.prototype and exposing a vulnerability. Because Object.prototype properties are inherited by all Javascript objects, the attacker has wide latitude to impact code execution. It might lead to remote code execution or even a denial of service via triggering Javascript exceptions.
Read more on GitHub.
The exploit exists in all versions of AngularJS prior to version 1.7.9. For those unable to upgrade, clients of HeroDevs Never-Ending Support for AngularJS have access to a fixed version of AngularJS that is compatible with Angular 1.5. The targets vulnerable to attack are:
There are several ways to help prevent this sort of attack:
The fix described in this vulnerability is present in 1.7.9 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like support to avoid potentially costly attacks, contact HeroDevs today.
NIST BDSA-2019-10768 entry