Arbitrary Code Execution Affecting angular package, versions <1.4.0-beta.6
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:angular:20150310
- published23 Jan 2017
- disclosed9 Mar 2015
- creditRodric Haddad
Introduced: 9 Mar 2015
CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade angular to version 1.4.0-beta.6 or higher.
Overview
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Arbitrary Code Execution via unsafe svg animation tags.
Details
Exploit Example:
<svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
<circle r="400"></circle>
<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
</a>
</svg>
Here the anchor's href is animated, starting from a value that's a javascript URI. This allows execution of arbitrary javascript in the process. Preventing only the animation of links is tricky, as SVG is weird and namespaces aren't predictable. The fix is to have the sanitizer filter out svg animation tags instead.