CVE-2024-21490
Denial of Service vulnerability in angular (npm)
What is CVE-2024-21490 About?
This is a denial of service vulnerability in versions of Angular from 1.3.0, caused by a regular expression vulnerable to super-linear runtime due to backtracking. A large, carefully crafted input can trigger catastrophic backtracking, leading to service disruption. This vulnerability is relatively easy to exploit with precise input, making it a significant threat to unpatched Angular applications.
Affected Software
- angular
- >1.3.0, <=1.8.3
- org.webjars.npm:angular
- >1.3.0, <=1.8.3
- org.webjars.bower:angular
- >1.3.0, <=1.8.3
Technical Details
The vulnerability resides in the regular expression used by the ng-srcset directive within Angular versions starting from 1.3.0. This regular expression is susceptible to 'catastrophic backtracking' when processing specific, complex input patterns. Catastrophic backtracking occurs when a regex engine attempts to match a pattern containing certain quantifiers (like *, +) applied to sub-expressions that can match the empty string or overlapping parts of the input. When a large, specially crafted string that satisfies these problematic patterns is provided as the value for ng-srcset, the regex engine consumes an extraordinarily long time and excessive computational resources to evaluate the match, effectively freezing the application or server process. This resource exhaustion leads to a Denial-of-Service condition.
What is the Impact of CVE-2024-21490?
Successful exploitation may allow attackers to cause a Denial-of-Service condition by consuming excessive CPU resources, leading to unresponsiveness, crashes, and unavailability of applications using the vulnerable Angular framework.
What is the Exploitability of CVE-2024-21490?
Exploitation of this regular expression-based Denial-of-Service vulnerability is of moderate complexity. It requires crafting a specific, large input string that triggers catastrophic backtracking in the regex used by the ng-srcset directive. No authentication or elevated privileges are required to exploit this; an attacker only needs the ability to provide input that the AngularJS application will process via the ng-srcset directive. This is primarily a remote exploitation scenario if user input can influence the ng-srcset value. The main prerequisite is an application running an unpatched version of Angular 1.3.0 or later. Risk factors are high for web applications that dynamically generate or allow user input to influence ng-srcset values without strict sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21490?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
- https://osv.dev/vulnerability/GHSA-4w4v-5hc9-xrr2
- https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
- https://github.com/angular/angular.js
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
- https://nvd.nist.gov/vuln/detail/CVE-2024-21490
- https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
What are Similar Vulnerabilities to CVE-2024-21490?
Similar Vulnerabilities: CVE-2020-28189 , CVE-2019-18302 , CVE-2018-8032 , CVE-2016-10527 , CVE-2014-0062
