CVE-2023-26118
Regular Expression Denial of Service (ReDoS) vulnerability in angular (npm)
What is CVE-2023-26118 About?
This vulnerability affects all versions of the Angular package, leading to a Regular Expression Denial of Service (ReDoS) via the `<input type="url">` element. It arises from an insecure regular expression used in the `input[url]` functionality, which can be exploited by a carefully crafted, large input string to cause catastrophic backtracking. This can freeze or crash the browser, easily leading to a DoS.
Affected Software
Technical Details
The vulnerability is a Regular Expression Denial of Service (ReDoS) that exists in all versions of the Angular package, specifically within the validation logic for <input type="url"> elements. The regular expression used to validate URL input (input[url]) is inefficiently constructed, containing patterns that can lead to 'catastrophic backtracking' when processing certain input strings. An attacker can craft a very long string that, when evaluated against this insecure regex, causes the regex engine to explore an exponentially increasing number of paths, consuming excessive CPU resources. This processing can freeze or crash the user's browser or the server-side validation process, resulting in a Denial of Service (DoS).
What is the Impact of CVE-2023-26118?
Successful exploitation may allow attackers to cause a denial of service in the user's browser or server-side validation processes, leading to unresponsiveness or crashes.
What is the Exploitability of CVE-2023-26118?
Exploitation has low complexity, requiring only the ability to provide a crafted input string to an application utilizing Angular with an <input type="url"> element. No authentication or specific privileges are required, as the attack targets client-side or server-side validation logic that processes user input. It is typically a remote attack, delivered through a web page. The primary prerequisite is the presence of the vulnerable Angular validation for URL inputs. The likelihood of exploitation is high, as crafting a ReDoS payload is common, and the impact can be immediate (e.g., freezing the user's browser tab).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26118?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/
- https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos
- https://osv.dev/vulnerability/GHSA-qwqh-hm9m-p5hr
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328
What are Similar Vulnerabilities to CVE-2023-26118?
Similar Vulnerabilities: CVE-2023-37903 , CVE-2023-38408 , CVE-2023-29007 , CVE-2023-45133 , CVE-2023-30533
