decorative image for blog on angularjs cve 2024-21490
February 21, 2024

AngularJS CVE 2024-21490: Are You at Risk?

AngularJS
Security

CVE 2024-21490 is a new high severity vulnerability that was publicly disclosed on February 10, 2024 that affects Angular 1.3.0, also known as AngularJS 1.3. On December 31, 2021, AngularJS reached end of life (EOL) and is no longer receiving updates or patches. 

In the 2024 State of Open Source Report, we asked respondents still using EOL AngularJS what they would do if serious AngularJS vulnerabilities were discovered and 29% responded “I don’t know.” 

Read on to find out what CVE 2024-21490 does, who it impacts, and how to prevent it from being exploited if you are not able to migrate to a supported open source framework

Back to top

What Is CVE 2024-21490?

CVE 2024-21490 is a Regular Expression Denial of Service (ReDoS) vulnerability currently being reviewed by the National Institute of Standards and Technology (NIST) to be assigned a score in the National Vulnerability Database. Snyk has classified the CVE as high severity, with a CVSS score of 7.5. 

Back to top

Who Does CVE 2024-21490 Affect?

All JavaScript applications written on AngularJS 1.3.0 and higher have this exploitable vulnerability. If your AngularJS applications are affected by this CVE, you should patch it immediately to avoid a ReDoS attack. 

Back to top

How Does CVE 2024-21490 Work?

CVE 2024-21490 is a Regular Expression Denial of Service (ReDoS) vulnerability. A regular expression used to split the value of the ‘ng-srcset’ directive is vulnerable to super-linear runtime due to backtracking. With large, carefully crafted input, this can result in catastrophic backtracking and cause a denial of service.

These Denial of Service (DoS) attacks are aimed at making systems unavailable to legitimate users. With a ReDoS, the regular expressions are very powerful, and not intuitive, which makes it very easy for an attacker to take a site down. 

Back to top

Consequences of a ReDoS Attack

ReDoS attacks typically do not result in data loss, just performance degradation. At a minimum, a ReDoS exploit of this vulnerability would affect application performance by consuming large quantities of CPU, causing other applications to slow down or crash. Other impacts depend on your environment — for example, in a shared environment, you may experience multiple applications that become overwhelmed and unable to take any new requests. Users will experience slow response times or get a 404 Page Not Found error, notifying them the page is not available. From a UX perspective, this system downtime can be detrimental to a business both reputationally and fiscally, which is likely the goal of the attacker. 

Back to top

How to Protect Against CVE 2024-21490 and Prevent a ReDoS Attack

On your JavaScript apps, you can remove special characters that could be used to trigger backtracking. If you are unsure what to do next or do not have the internal resources or experts needed to create a patch, partnering with a third party vendor like OpenLogic for long-term support would be wise. OpenLogic’s AngularJS LTS includes security patches for medium to high-severity CVEs, including CVE-2024-21490, and patches for breaking changes caused by updated web browser or jQuery updates. OpenLogic enterprise architects can also help you explore AngularJS alternatives so you can plan your migration off EOL AngularJS.   

Back to top

Final Thoughts

With any known CVE, it's always a good exercise to consider the cost of doing nothing vs. being proactive. Until now, the disclosed AngularJS CVEs were medium severity, which is possibly why over 20% of those using AngularJS who took the State of Open Source survey said they either don't scan for vulnerabilities or just don't patch them. 

However, now that a high severity CVE has been disclosed, the stakes are higher. It could be the first of many. If no one in house can build and test patches for your EOL AngularJS and you are not able to migrate right now, it's time to consider partnering with a support vendor like OpenLogic.

 

 

 

Additional Resources

Back to top