AngularJS Improper 'srcset' Attribute Sanitization Vulnerability Bypasses Image Source Restrictions

A vulnerability in AngularJS has been identified, stemming from improper sanitization of the 'srcset' attribute. This issue allows attackers to bypass standard image source restrictions, potentially leading to content spoofing. The vulnerability affects AngularJS versions 1.3.0-rc.4 and later. Notably, the AngularJS project is no longer actively maintained, and this vulnerability will not be addressed in future updates.

Impact

Exploitation of this vulnerability could result in unauthorized image sources being accepted, allowing for content spoofing attacks. Additionally, according to NetApp, successful exploitation could lead to the unauthorized addition or modification of data.

Reproduction

To reproduce this vulnerability, create an AngularJS application and configure the $compileProvider to only allow images from a specific domain. Then, use a crafted value in the ngSrcset directive on an <img> element to bypass the restriction and display an image from a disallowed domain. This vulnerability can also be demonstrated by injecting an arbitrary SVG image using the data:image/svg+xml format.

Remediation

Users can upgrade to the Never-Ending Support version offered by HeroDevs, which includes the necessary patch. For more information, visit the HeroDevs website.