AngularJS ngSanitize Module Improper SVG Image Source Sanitization Vulnerability

A vulnerability exists in the AngularJS ngSanitize module, specifically in versions 1.3.1 and later, due to improper sanitization of the href and xlink:href attributes in image elements within SVGs. This flaw allows attackers to bypass standard image source restrictions, potentially leading to content spoofing and adversely affecting the application's performance by loading excessively large or slow images. Notably, the AngularJS project is no longer maintained, and this issue will not be addressed in future updates.

Impact

Exploitation of this vulnerability can bypass image source restrictions, allowing the injection of images from disallowed domains. This not only facilitates content spoofing but can also disrupt application performance by introducing large or slow-loading images.

Reproduction

To reproduce this vulnerability, create an AngularJS application that includes the ngSanitize module. Configure the $compileProvider to restrict image sources to a specific domain, and enable SVG support in the $sanitizeProvider. Once the application is set up, use an SVG image element to bypass the domain restriction by referencing an image from a disallowed domain.

Remediation

Users can migrate away from AngularJS or seek support from HeroDevs, a commercial partner offering post-EOL security support for AngularJS.