CVE-2019-10768
Prototype Pollution vulnerability in angular
What is CVE-2019-10768 About?
This vulnerability affects `angular` versions prior to 1.7.9, where the deprecated `merge()` API function does not restrict the modification of an Object's prototype. An attacker can exploit this to add or modify properties that will exist on all objects, leading to arbitrary code execution or other undesirable behavior. Exploitation is relatively easy if an attacker can control input passed to the `merge()` function.
Affected Software
Technical Details
Versions of the `angular` framework prior to 1.7.9 are vulnerable to prototype pollution through the deprecated `merge()` API function. This function, intended for merging objects, fails to adequately restrict modifications to the `Object.prototype`. If an attacker can supply input to the `merge()` function that includes a property named `__proto__` or similar object constructor properties, the function will merge these properties into `Object.prototype` itself. This action pollutes the global object prototype, meaning any changes made to `Object.prototype` will be inherited by all JavaScript objects in the application. This can lead to the introduction of new properties, overwriting of existing methods, or denial of service by corrupting core functionalities, potentially enabling arbitrary code execution in specific contexts.
What is the Impact of CVE-2019-10768?
Successful exploitation may allow attackers to inject properties into all JavaScript objects, leading to denial of service, information disclosure, or, in some contexts, arbitrary code execution.
What is the Exploitability of CVE-2019-10768?
Exploitation of this prototype pollution vulnerability in Angular is of moderate complexity. An attacker needs to provide specially crafted data that eventually gets passed to the deprecated `merge()` function within the application. Authentication and privilege requirements are generally low, as the vulnerability resides in how data is processed, not in accessing protected resources. This is primarily a remote exploit scenario where user-controlled input (e.g., from JSON payloads, query parameters, or form data) is used by the application in a way that triggers the vulnerable `merge()` call. The main prerequisite is the presence of the vulnerable Angular version and the application's reliance on the deprecated `merge()` function with untrusted input. The impact can vary greatly depending on how the polluted prototype properties are later used by the application, making it a significant risk factor.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10768?
Available Upgrade Options
- angular
- <1.7.9 → Upgrade to 1.7.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://www.npmjs.com/advisories/1343
- https://nvd.nist.gov/vuln/detail/CVE-2019-10768
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
- https://github.com/angular/angular.js
- https://osv.dev/vulnerability/GHSA-89mq-4x47-5v83
- https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
- https://github.com/angular/angular.js/pull/16913
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
What are Similar Vulnerabilities to CVE-2019-10768?
Similar Vulnerabilities: CVE-2019-11358 , CVE-2020-28264 , CVE-2020-28283 , CVE-2020-7712 , CVE-2021-23337
