CVE-2022-25844
Regular Expression Denial of Service (ReDoS) vulnerability in angular (npm)
What is CVE-2022-25844 About?
AngularJS versions after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to an issue with providing a custom locale rule. An attacker can craft a specific input that hangs the application, making it unavailable. This vulnerability is moderately easy to exploit for an attacker familiar with the input validation mechanisms.
Affected Software
Technical Details
The ReDoS vulnerability in AngularJS (versions 1.7.0 and higher) specifically targets the NUMBER_FORMATS.PATTERNS at index [1].posPre which defines a custom locale rule. An attacker can exploit this by providing a highly crafted regular expression as input to the posPre parameter. This crafted regex, combined with certain high values provided to (' '.repeat()), can cause the regular expression engine to enter a catastrophic backtracking state. This state consumes an excessive amount of CPU resources, leading to a denial of service for the application or client-side script processing the malicious input. The core issue lies in how certain regular expressions used for number formatting are constructed or applied, allowing for inefficient processing with specific pathological inputs.
What is the Impact of CVE-2022-25844?
Successful exploitation may allow attackers to conduct a denial of service (DoS) attack, causing the affected application or client-side script to become unresponsive or crash.
What is the Exploitability of CVE-2022-25844?
Exploitation complexity is moderate, requiring knowledge of AngularJS's locale formatting mechanisms and how to craft a pathological regular expression. Authentication requirements depend on whether an unauthenticated user can influence locale settings or numerical formatting input. If so, no authentication is needed. Privilege requirements are low; typical user interaction with a UI where locale or number formatting can be influenced is sufficient. Exploitation is primarily remote, as an attacker would deliver a malicious input through a web request or user interface element. Special conditions involve the application using AngularJS versions 1.7.0 or higher and allowing user-supplied input to influence number formatting or locale rules. Risk factors that increase exploitation likelihood include applications that enable extensive user customization of display formats or internationalization settings without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25844?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
- https://stackblitz.com/edit/angularjs-material-blank-zvtdvb
- https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
- https://security.netapp.com/advisory/ntap-20220629-0009/
- https://security.netapp.com/advisory/ntap-20220629-0009
What are Similar Vulnerabilities to CVE-2022-25844?
Similar Vulnerabilities: CVE-2020-28189 , CVE-2020-15105 , CVE-2021-23337 , CVE-2020-8260 , CVE-2019-10747
