CVE-2016-10524: Denial of Service and Content Injection in i18n-node-angular
8.2
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.48137%
CWE
Published
2/18/2019
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
i18n-node-angular | npm | < 1.4.0 | 1.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the '/i18n/:locale/:phrase' route being registered in production. The commit diff shows this route registration was gated behind a development environment check in the fix. The translate handler (i18nRoutes.translate
) attached to this route: 1) Accepts arbitrary user input via :phrase parameter without proper sanitization (CWE-74), enabling XSS 2) Provides an unauthenticated endpoint that could be flooded for DoS (CWE-400). The combination of route exposure in production and lack of input validation/sanitization in the handler makes this function vulnerable.