Steps to Reproduce
AngularJS packages with versions greater than 1.7.0 are susceptible to this Regular Expression Denial of Service (ReDoS) exploit. If an app assigns a user-provided value to $locale.NUMBER_FORMATS.PATTERNS[1].posPre, an attacker could provide a value consisting of an extremely high number of spaces to cause a Denial of Service, such as ' '.repeat(1000000). A proof of concept demonstrating this exploit is available on StackBlitz
Addressing the Issue
This issue is present in all versions of AngularJS higher than 1.7.0 and there is no version of the library with a fix in it. However, developers can check that no user-provided values are assigned to $locale.NUMBER_FORMATS.PATTERNS[1].posPre or if they are that the values' length is limited to a few characters.
Learning and Prevention
Denial of service attacks are designed to use the resources of the target system in a way that leaves no resources left for legitimate users of the system. This exploit is of the type Regular Expression Denial of Service (ReDoS), which has the target system attempt to solve a regular expression pattern match that will take a long time.
The regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. When a string value is given that consists of a very large number of spaces, such as 1000000 spaces, the browser may spend an extraordinary amount of time returning a result.
This is especially true when some matching steps fail and the regular expression engine must back up to execute alternatives. In these cases, the 1 000 000 number of spaces is deceptive: the actual number of steps the engine attempts to execute can be an exponential value of 1 000 000, thereby monopolizing the target system.
Conclusion
Though this exploit does not have a fix, clients of HeroDevs Never-Ending Support for AngularJS were notified of the exploit when it became public. If you aren’t a client and are interested in a subscription, contact our sales team today.
Resources
NIST 2022-25844 entry