CVE-2023-26117
Regular Expression Denial of Service (ReDoS) vulnerability in angular (npm)
What is CVE-2023-26117 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in all versions of the Angular package, specifically within the `$resource` service. The use of an insecure regular expression can be exploited with large, carefully crafted inputs, leading to catastrophic backtracking and denial of service. This makes the application unresponsive to legitimate users.
Affected Software
Technical Details
All versions of the Angular package are susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability, which specifically affects the $resource service. The $resource service utilizes an insecure regular expression that, when presented with a large, meticulously crafted input string, enters a state of 'catastrophic backtracking.' This computational inefficiency causes the regex engine to consume excessive CPU resources and time, leading to a significant performance degradation or complete unresponsiveness of the application. The attack vector involves submitting user-controlled data to endpoints processed by the $resource service.
What is the Impact of CVE-2023-26117?
Successful exploitation may allow attackers to trigger a Denial of Service, causing applications to become unresponsive and affecting service availability.
What is the Exploitability of CVE-2023-26117?
Exploitation involves providing a large, carefully-crafted input to an AngularJS application that utilizes the $resource service. The complexity is low, requiring knowledge of the specific regex pattern to craft an effective payload. No specific authentication or privilege requirements are needed beyond the ability to submit data to an associated endpoint. This is a remote exploitation scenario, typically via a web request. The primary risk factor is the acceptance of untrusted, potentially long strings that are then processed by the $resource service's vulnerable regular expression.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26117?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/
- https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos
- https://osv.dev/vulnerability/GHSA-2qqx-w9hr-q5gx
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323
What are Similar Vulnerabilities to CVE-2023-26117?
Similar Vulnerabilities: CVE-2023-26115 , CVE-2022-25916 , CVE-2021-23424 , CVE-2022-24754 , CVE-2021-3918
