AngularJS Regular Expression Denial-of-Service Vulnerability in Linky Filter

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the AngularJS framework, specifically within the 'ngSanitize' module's 'linky' filter. This vulnerability affects all versions of AngularJS. The issue arises because the regular expression used to detect URLs in input text has a super-linear runtime due to backtracking. When large, carefully crafted inputs are processed, this can lead to significant performance degradation or even cause the application to crash.

Impact

Exploitation of this vulnerability can cause the application to hang for an extended period, monopolizing browser resources, or it can lead to a complete crash of the application.

Reproduction

To reproduce this vulnerability, create an AngularJS application that includes the 'ngSanitize' module. Use the 'linky' filter with input text that contains a large number of consecutive alphanumeric characters. This can be done by setting the input text to values of 25000, 50000, 100000, 200000, 400000, or 800000 characters. After 'linkifying' the text, the application will experience a noticeable delay or crash, especially if not run in a Chrome browser.

Remediation

The AngularJS project is End-of-Life and will not receive any updates to address this issue. Users should consider migrating applications away from AngularJS or leverage a commercial support partner like HeroDevs for post-EOL security support.