Content Security Policy (CSP) Bypass Affecting angularjs.core package, versions [1.5.0,1.5.9)

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    23 Jan 2017

  • disclosed

    31 Oct 2016

  • credit

    Martin Probst

How to fix?

Upgrade AngularJS.Core to version 1.5.9 or higher.


AngularJS.Core is an AngularJS.* package for other Angular modules within .NET.

Affected versions of this package are vulnerable to Content Security Policy (CSP) Bypass. Extension URIs (resource://...) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.