Miggo Logo
Miggo Vulnerability Database
CVE-2024-21490

CVE-2024-21490:
angular vulnerable to super-linear runtime due to backtracking

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21490
GHSA ID
GHSA-4w4v-5hc9-xrr2
EPSS Score
0.69078%
CWE
CWE-1333
Published
2/10/2024
Updated
5/14/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
angularnpm>= 1.3.0, <= 1.8.3
org.webjars.npm:angularmaven>= 1.3.0, <= 1.8.3
org.webjars.bower:angularmaven>= 1.3.0, <= 1.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the ng-srcset directive's value splitting regex as the root cause. While exact implementation details aren't provided in available sources, AngularJS architecture dictates that srcset handling would be implemented in directive processing code. The confidence is high because:

  1. The advisory specifically calls out ng-srcset as the vulnerable directive
  2. ReDoS vulnerabilities in this context typically stem from the regex used for attribute parsing
  3. AngularJS 1.x's EOL status matches the affected versions
  4. Multiple independent sources (NVD, Snyk, GHSA) confirm the attack vector involves ng-srcset processing

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts v*rsions o* t** p**k*** *n*ul*r *rom *.*.*. * r**ul*r *xpr*ssion us** to split t** v*lu* o* t** n*-sr*s*t *ir**tiv* is vuln*r**l* to sup*r-lin**r runtim* *u* to ***ktr**kin*. Wit* * l*r** **r**ully-*r**t** input, t*is **n r*sult in **t*s

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** n*-sr*s*t *ir**tiv*'s v*lu* splittin* r***x *s t** root **us*. W*il* *x**t impl*m*nt*tion **t*ils *r*n't provi*** in *v*il**l* sour**s, *n*ul*rJS *r**it**tur* *i*t*t*s t**t sr*s*t **n*lin* woul*