View all Vulnerabilities

CVE-2022-25844

Cross-Site Scripting
Affects
AngularJS
>=1.8
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Steps to Reproduce

AngularJS packages with versions greater than 1.7.0 are susceptible to this Regular Expression Denial of Service (ReDoS) exploit. If an app assigns a user-provided value to $locale.NUMBER_FORMATS.PATTERNS[1].posPre, an attacker could provide a value consisting of an extremely high number of spaces to cause a Denial of Service, such as ' '.repeat(1000000). A proof of concept demonstrating this exploit is available on StackBlitz

Addressing the Issue

This issue is present in all versions of AngularJS higher than 1.7.0 and there is no version of the library with a fix in it. However, developers can check that no user-provided values are assigned to $locale.NUMBER_FORMATS.PATTERNS[1].posPre or if they are that the values' length is limited to a few characters.

Learning and Prevention

Denial of service attacks are designed to use the resources of the target system in a way that leaves no resources left for legitimate users of the system. This exploit is of the type  Regular Expression Denial of Service (ReDoS), which has the target system attempt to solve a regular expression pattern match that will take a long time. 

The regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. When a string value is given that consists of a very large number of spaces, such as 1000000 spaces, the browser may spend an extraordinary amount of time returning a result.

This is especially true when some matching steps fail and the regular expression engine must back up to execute alternatives. In these cases, the 1 000 000 number of spaces is deceptive: the actual number of steps the engine attempts to execute  can be an exponential value of 1 000 000, thereby monopolizing the target system.

Conclusion

Though this exploit does not have a fix, clients of HeroDevs Never-Ending Support for AngularJS were notified of the exploit when it became public. If you aren’t a client and are interested in a subscription, contact our sales team today.

Resources

NIST 2022-25844 entry

Vulnerability Details

ID
CVE-2022-25844
Libraries Affected
AngularJS
Versions Affected
>=1.8
≈ Fix date
April 1, 2022
Fixed in
AngularJS NES
Severity
Medium
Category
Cross-Site Scripting

Sign up for alerts

Get alerted whenever a new vulnerability is fixed in the open source software we support.

Saving the day when your open source software is sunsetting
+1 877-586-1965
hello@herodevs.com
8850 S 700 E #2437
Sandy, UT 84070
Company
Home
Careers
Pricing
Partners
Pro Services
Contact
Products
All Products
Angular NES
jQuery NES
Drupal 7 NES
AngularJS NES
Vue 2 NES
Bootstrap NES
Nuxt NES
Spring NES
Protractor NES
Resources
Blog
Vulnerability Directory
Newsletters
Legal
Privacy Policy
Terms of Service
Socials
© 2024 herodevs.com  |  All Rights Reserved