Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-10768

Cross-Site Scripting
Affects
AngularJS
<1.7.9
in
AngularJS
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Steps to Reproduce

The merge() function in AngularJS, which is used to combine multiple objects into a single, new object, is vulnerable to this High-level vulnerability. The command can be used to add or modify the properties of Object.prototype.

Javascript allows all properties of an object to be merged, including the magic properties __proto__, constructor and prototype. Specifically with this exploit, it’s possible to merge a __proto__ property thereby altering the Object.prototype and exposing a vulnerability. Because Object.prototype properties are inherited by all Javascript objects, the attacker has wide latitude to impact code execution. It might lead to remote code execution or even a denial of service via triggering Javascript exceptions.

Read more on GitHub.

Addressing the Issue

The exploit exists in all versions of AngularJS prior to version 1.7.9. For those unable to upgrade, clients of HeroDevs Never-Ending Support for AngularJS have access to a fixed version of AngularJS that is compatible with Angular 1.5.  The targets vulnerable to attack are:

  • the web server
  • the application server
  • the web browser.

Learning and Prevention

There are several ways to help prevent this sort of attack:

  1. Freeze the prototype. Using Object.freeze(Object.prototype) is a drastic action that severely curtails flexibility in the program—but it will prevent this type of attack.
  2. Require schema validation.  JSON input can be scanned (“sanitized”) so that it does not include the __proto__ attribute.
  3. Avoid using unsafe recursive merge functions. Though valid, this recommendation has limited applicability because the problem isn’t in the nature of recursive merge functions—the problem lies in the merge() functions, whether recursive or not, blindly copying the dangerous attribute to Object.prototype.
  4. Use objects without prototypes. Consider Object.create(null) or proxy objects or a custom class to create an object that does not use prototypes. An object that doesn’t inherit from Object.prototype isn’t susceptible to pollution.
  5. Use arrays and map(). Instead of using objects and merge(), use arrays and the map() function to avoid the possibility of prototype pollution completely.

Conclusion

The fix described in this vulnerability is present in 1.7.9 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like support to avoid potentially costly attacks, contact HeroDevs today.

Resources

NIST BDSA-2019-10768 entry

Pink arrow
Previous
CVE-2024-8372
Next
CVE-2024-21490
Pink arrow
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-10768
PROJECT Affected
AngularJS
Versions Affected
<1.7.9
Published date
November 19, 2019
≈ Fix date
November 1, 2019
Fixed in
AngularJS NES
Severity
Critical
Category
Cross-Site Scripting