View all Vulnerabilities

CVE-2019-10768

ReDoS Vulnerability
Affects
AngularJS
<1.7.9
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Steps to Reproduce

The merge() function in AngularJS, which is used to combine multiple objects into a single, new object, is vulnerable to this High-level vulnerability. The command can be used to add or modify the properties of Object.prototype. 

Javascript allows all properties of an object to be merged, including the magic properties __proto__, constructor and prototype. Specifically with this exploit, it’s possible to merge a __proto__ property thereby altering the Object.prototype and exposing a vulnerability. Because Object.prototype properties are inherited by all Javascript objects, the attacker has wide latitude to impact code execution. It might lead to remote code execution or even a denial of service via triggering Javascript exceptions.

Read more on GitHub.

Addressing the Issue

The exploit exists in all versions of AngularJS prior to version 1.7.9. For those unable to upgrade, clients of HeroDevs Never-Ending Support for AngularJS have access to a fixed version of AngularJS that is compatible with Angular 1.5.  The targets vulnerable to attack are:

  • the web server
  • the application server
  • the web browser.

Learning and Prevention

There are several ways to help prevent this sort of attack:

  1. Freeze the prototype. Using Object.freeze(Object.prototype) is a drastic action that severely curtails flexibility in the program—but it will prevent this type of attack.
  2. Require schema validation.  JSON input can be scanned (“sanitized”) so that it does not include the __proto__ attribute.
  3. Avoid using unsafe recursive merge functions. Though valid, this recommendation has limited applicability because the problem isn’t in the nature of recursive merge functions—the problem lies in the merge() functions, whether recursive or not, blindly copying the dangerous attribute to Object.prototype.
  4. Use objects without prototypes. Consider Object.create(null) or proxy objects or a custom class to create an object that does not use prototypes. An object that doesn’t inherit from Object.prototype isn’t susceptible to pollution.
  5. Use arrays and map(). Instead of using objects and merge(), use arrays and the map() function to avoid the possibility of prototype pollution completely.

Conclusion

The fix described in this vulnerability is present in 1.7.9 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like support to avoid potentially costly attacks, contact HeroDevs today.

Resources

NIST BDSA-2019-10768 entry

Vulnerability Details

ID
CVE-2019-10768
Libraries Affected
AngularJS
Versions Affected
<1.7.9
≈ Fix date
November 1, 2019
Fixed in
AngularJS NES
Severity
High
Category
ReDoS Vulnerability

Sign up for alerts

Get alerted whenever a new vulnerability is fixed in the open source software we support.

Saving the day when your open source software is sunsetting
+1 877-586-1965
hello@herodevs.com
8850 S 700 E #2437
Sandy, UT 84070
Company
Home
Careers
Pricing
Partners
Pro Services
Contact
Products
All Products
Angular NES
jQuery NES
Drupal 7 NES
AngularJS NES
Vue 2 NES
Bootstrap NES
Nuxt NES
Spring NES
Protractor NES
Resources
Blog
Vulnerability Directory
Newsletters
Legal
Privacy Policy
Terms of Service
Socials
© 2024 herodevs.com  |  All Rights Reserved