Steps to Reproduce
It’s possible in versions of Angular starting from 1.0.0 to conduct a Regular Expression Denial of Service (ReDoS) attack via the $resource service due to the usage of an insecure regular expression. If a malicious actor carefully composes an insecure resource URL value and provides it to the service, it can cause catastrophic backtracking and monopolize system resources. A proof of concept demonstrating this exploit is available on StackBlitz.
Addressing the Issue
The fix for this exploit is available in XLTS for AngularJS versions 1.9.1 and 1.5.17; site owners should update to these versions.
Learning and Prevention
ReDoS attacks have the target system attempt to solve a regular expression pattern match that will take a long time (thereby denying service to legitimate users of the system). It’s a form of a Denial of Service (DoS) attack.
In the attack, the regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. In this case, when the browser attempts to match a carefully crafted input with the vulnerable regular expression, the browser may spend an extraordinary amount of time returning a result as it backtracks to try alternative matches.
Conclusion
The fix described in this vulnerability is present in XLTS for AngularJS 1.9.1 and 1.5.17 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.
Resources
NIST 2023-26117 entry
