CVE-2024-21490

ReDoS Vulnerability
Affects
AngularJS
>=1.3.0
in
AngularJS
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps to Reproduce

Starting with version 1.3.0 of Angular, it’s possible to conduct a Regular Expression Denial of Service (ReDoS) attack. Because the package uses a regular expression to split the value of the ng-srcset directive, if a malicious actor carefully composes an insecure regular expression, this can cause catastrophic backtracking and monopolize system resources. A proof of concept demonstrating this exploit is available on StackBlitz.

Addressing the Issue

The fix for this exploit is available in AngularJS XLTS/NES versions 1.9.1 and 1.5.19; site owners should update to these versions.

Learning and Prevention

ReDoS attacks have the target system attempt to solve a regular expression pattern match that will take a long time (thereby denying service to legitimate users of the system). It’s a form of a Denial of Service (DDoS) attack.

In the attack, the regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. In this case, when the browser attempts to resolve a regular expression carefully crafted by the attacker,  the browser may spend an extraordinary amount of time returning a result as it backtracks to try alternative matches.

Conclusion

The fix described in this vulnerability is present in 1.9.1 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.

Resources

NIST 2024-21490 entry

Vulnerability Details
ID
CVE-2024-21490
PROJECT Affected
AngularJS
Versions Affected
>=1.3.0
Published date
February 10, 2024
≈ Fix date
August 1, 2023
Severity
High
Category
ReDoS Vulnerability