You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Normally, setting an or element's srcset attribute value is subject to image source sanitization, which allows
improving the security of an application by setting restrictions on the sources of images that can be shown. For example, only
allowing images from a specific domain.
However, due to a bug in AngularJS, setting a element’s srcset attribute via the ngAttrSrcset directive or interpolation
is not subject to image source sanitization. This allows bypassing the image source restrictions configured in the application,
which can also lead to a form of Content Spoofing.
Note: The ngSrcset and ngPropSrcset directives are not affected. With these directives, sanitization works as intended
scenario:
configure $compileProvider to only allow images from a specific domain.
angular
.module('app', [])
.config(['$compileProvider', $compileProvider => {
$compileProvider.imgSrcSanitizationTrustedUrlList(
// Only allow images from `angularjs.org`.
/^https:\/\/angularjs\.org\//);
}]);
Use a specially-crafted value in the ngAttrSrcset directive on a element to bypass the domain restriction and show an
image from a disallowed domain.
The logic used in the ngSrcset, ngAttrSrcset and ngPropSrcset directives to sanitize image source URLs has a vulnerability that
allows bypassing the restrictions set by some common patterns, such as only allowing images from a specific domain. With a
specially-crafted input, the sanitization can be bypassed and images from an arbitrary domain can be shown, which can also lead
to a form of Content Spoofing.
Note: This issue also affects setting interpolated values via the srcset HTML attribute, which is not recommended in AngularJS anyway.
An improper sanitization vulnerability (CVE-2025-0716) has been identified in AngularJS, which allows attackers to bypass common
image source restrictions normally applied to the value of the href or xlink:href attributes on SVG elements. This bypass
can further lead to a form of Content Spoofing. Similarly, the application's performance and behavior could be negatively affected
by using too large or slow-to-load images.
Normally, setting an SVG element's href or xlink:href attribute values via AngularJS bindings is subject to image source
sanitization. This allows improving the security of an application by setting restrictions on the sources of images that can be
shown. For example, only allowing images from a specific domain.
However, due to a bug in AngularJS, setting an SVG element's href or xlink:href attribute values via the ngHref and
ngAttrHref directives or using interpolation is not subject to image source sanitization. This allows bypassing the image source
restrictions configured in the application, which can also lead to a form of Content Spoofing. Similarly, the application's
performance and behavior can be negatively affected by using too large or slow-to-load images.
Note: Targeting the xlink:href attribute via ng-attr-xlink:href or interpolation is not affected. With xlink:href, sanitization
works as intended.
An improper sanitization vulnerability (CVE-2025-2336) has been identified in AngularJS' ngSanitize module, which allows attackers
to bypass common image source restrictions normally applied to image elements. This bypass can further lead to a form of Content
Spoofing. Similarly, the application's performance and behavior could be negatively affected by using too large or slow-to-load
images.
The $sanitize service, which is provided by the angular-sanitize package, is used for sanitizing HTML strings by stripping all
potentially dangerous tokens. As part of the sanitization, it checks the URLs of images to ensure they abide by the defined image
source rules. This allows improving the security of an application by setting restrictions on the sources of images that can be
shown. For example, only allowing images from a specific domain.
However, due to a bug in the $sanitize service, SVG elements are not correctly detected as images, even when SVG support
is enabled. As a result, the image source restrictions are not applied to the images that can be shown. This allows bypassing the
image source restrictions configured in the application, which can also lead to a form of Content Spoofing. Similarly, the
application's performance and behavior can be negatively affected by using too large or slow-to-load images.
Note: The $sanitize service is also internally used by the ngBindHtml directive and the linky filter, so any vulnerabilities
affect them as well.
example:
angular
.module('app', ['ngSanitize'])
.config([
'$compileProvider', '$sanitizeProvider',
($compileProvider, $sanitizeProvider) => {
$compileProvider.imgSrcSanitizationTrustedUrlList(
// Only allow images from `angularjs.org`.
/^https:\/\/angularjs\.org\//);
// Enable SVG support in `$sanitize()`.
$sanitizeProvider.enableSvg(true);
},
]);
AngularJS' localization utilities allow formatting numbers as currency values. If an application sets the current locale's
NUMBER_FORMATS.PATTERNS[1].posPre value to a user-defined string, it can be abused to cause a Denial of Service of the appication.
It’s possible in versions of Angular starting from 1.2.21 to conduct a Regular Expression Denial of Service (ReDoS) attack via the
angular.copy() utility function. If a malicious actor carefully composes an insecure regular expression and provides it to the
function, it can cause catastrophic backtracking and monopolize system resources. A proof of concept demonstrating this exploit is
available on StackBlitz.
equivalent to: angular.copy(new RegExp(userProvidedPattern));
It’s possible in versions of Angular starting from 1.0.0 to conduct a Regular Expression Denial of Service (ReDoS) attack via the
$resource service due to the usage of an insecure regular expression. If a malicious actor carefully composes an insecure resource URL
value and provides it to the service, it can cause catastrophic backtracking and monopolize system resources.
A regular expression used by the $resource service to strip trailing slashes is vulnerable to super-linear runtime due to
backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service of
the application
equivalent to $resource(/some/url/${userProvidedSuffix}).query()
It’s possible in versions of Angular starting from 1.4.9 to conduct a Regular Expression Denial of Service (ReDoS) attack via the
element. If a malicious actor carefully composes an insecure URL input that is used by the input[url] element,
catastrophic backtracking and monopolization of system resources can occur.
A regular expression used to validate the value of the input[url] directive is vulnerable to super-linear runtime due to backtracking
Starting with version 1.3.0 of Angular, it’s possible to conduct a Regular Expression Denial of Service (ReDoS) attack. Because the
package uses a regular expression to split the value of the ng-srcset directive, if a malicious actor carefully composes an
ng-scset value, this can cause catastrophic backtracking and monopolize system resources
CVE-2025-4690 : Regular Expression Denial of Service [FIXED]
The linky filter, which is provided by the angular-sanitize package, is used for finding links in an input text and turning them
into sanitized HTML links (using the $sanitize service under the hood). The logic for finding links in text is powered by a
Regular Expression.
Due to an implementation bug, the Regular Expression has a super-linear runtime relative to the input size. With a long,
specially-crafted input, an attacker could cause a denial of service of the application, monopolizing browser resources or
completely crash the application.
CVEs ignored because not applicable to our use-cases
CVE-2022-25869 : Cross-Site Scripting [ IGNORED - IE NOT SUPPORTED ] ( we do not support anymore IE )
This Cross-Site Scripting (XSS) exploit is present in all public versions of AngularJS. It is present only with the Internet
Explorer browser, which has a bug in its page caching when dealing with textareas. A malicious actor can insert dangerous code
that the browser will execute thereby giving access to data or script function (the attacker tricks the application or site into
accepting a request as though it was from a trusted source).
CVE-2024-33665 : Cross-Site Scripting [IGNORED - N/A ] (we do not use angular-translate)
A Prototype Pollution vulnerability (CVE-2022-37602) has been identified in grunt-karma, which allows a malicious actor to modify
an object's prototype, potentially leading to unexpected behavior or security issues.
or