CVE-2024-21490

ReDoS Vulnerability
Affects
AngularJS
>=1.3.0
in
AngularJS
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps to Reproduce

Starting with version 1.3.0 of Angular, it’s possible to conduct a Regular Expression Denial of Service (ReDoS) attack. Because the package uses a regular expression to split the value of the ng-srcset directive, if a malicious actor carefully composes an insecure regular expression, this can cause catastrophic backtracking and monopolize system resources. A proof of concept demonstrating this exploit is available on StackBlitz.

Addressing the Issue

The fix for this exploit is available in AngularJS XLTS/NES versions 1.9.1 and 1.5.19; site owners should update to these versions.

Learning and Prevention

ReDoS attacks have the target system attempt to solve a regular expression pattern match that will take a long time (thereby denying service to legitimate users of the system). It’s a form of a Denial of Service (DDoS) attack.

In the attack, the regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. In this case, when the browser attempts to resolve a regular expression carefully crafted by the attacker,  the browser may spend an extraordinary amount of time returning a result as it backtracks to try alternative matches.

Conclusion

The fix described in this vulnerability is present in 1.9.1 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.

Resources

NIST 2024-21490 entry

Vulnerability Details
ID
CVE-2024-21490
PROJECT Affected
AngularJS
Versions Affected
>=1.3.0
Published date
February 10, 2024
≈ Fix date
August 1, 2023
Severity
High
Category
ReDoS Vulnerability
Sign up for the latest vulnerability alerts fixed in
AngularJS NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.