FixVibe
Research notehigh

AngularJS Regular Expression Denial of Service (CVE-2024-21490)

A Regular Expression Denial of Service (ReDoS) vulnerability exists in AngularJS versions 1.3.0 and later. The ng-srcset directive uses a regular expression for splitting values that exhibits super-linear runtime when processing specially crafted, large inputs. This can lead to catastrophic backtracking, exhausting CPU resources and causing the application to hang or crash.

CVE-2024-21490CWE-1333

Impact

An attacker can cause a Denial of Service (DoS) by providing a large, carefully crafted string to the ng-srcset directive [S1]. This results in super-linear runtime due to catastrophic backtracking in the underlying regular expression engine, effectively freezing the browser's main thread and making the web application unresponsive [S1].

Root Cause

The vulnerability stems from an inefficient regular expression used to parse and split values within the ng-srcset directive [S1]. In AngularJS versions 1.3.0 and later, the regex engine fails to handle certain repetitive patterns efficiently, leading to an exponential increase in processing time as the input length grows [S1]. This behavior is classified as a Regular Expression Denial of Service (ReDoS) pattern [S1].

Remediation

To mitigate this vulnerability, users should upgrade to a patched version of the AngularJS framework as indicated in official security advisories [S1]. If upgrading is not immediately possible, developers should implement input validation to limit the length and complexity of strings passed to ng-srcset attributes, especially those derived from user-controllable data [S1].

How FixVibe could detect it

FixVibe could detect this vulnerability through its repository scanning mode by analyzing package.json or bower.json files to identify vulnerable versions of the angular or angularjs packages (>= 1.3.0) [S1]. Additionally, FixVibe's passive scanner could inspect the client-side JavaScript bundles of a running application to fingerprint the AngularJS version and flag the presence of the vulnerable ng-srcset directive logic [S1].

AngularJS Regular Expression Denial of Service (CVE-2024-21490) β€” FixVibe research Β· FixVibe