Package: angular.js / 1.8.3-3

CVE-2025-2336.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
Date: Sat, 7 Jun 2025 22:22:12 +0200
Subject: CVE-2025-2336
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

An improper sanitization vulnerability has been identified in AngularJS' ngSanitize module,
which allows attackers to bypass common image source restrictions normally
applied to image elements. This bypass can further lead to a form of
Content Spoofing. Similarly, the application's performance and behavior
could be negatively affected by using too large or slow-to-load images.

The $sanitize service, which is provided by the angular-sanitize package,
is used for sanitizing HTML strings by stripping all potentially dangerous tokens.
As part of the sanitization, it checks the URLs of images to ensure they
abide by the defined image source rules. This allows improving the security
of an application by setting restrictions on the sources of images
that can be shown. For example, only allowing images from a specific domain.

ā€¨However, due to a bug in the $sanitize service, SVG <image> elements
are not correctly detected as images, even when SVG support is enabled.
As a result, the image source restrictions are not applied to the images
that can be shown. This allows bypassing the image source restrictions configured
in the application, which can also lead to a form of Content Spoofing.
Similarly, the application's performance and behavior can be negatively affected
by using too large or slow-to-load images.

bug: https://www.herodevs.com/vulnerability-directory/cve-2025-2336
bug-PoC: https://codepen.io/herodevs/pen/bNGYaXx/412a3a4218387479898912f60c269c6c
---
 src/ngSanitize/sanitize.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js
index 34e0e09..64ce508 100644
--- a/src/ngSanitize/sanitize.js
+++ b/src/ngSanitize/sanitize.js
@@ -598,7 +598,7 @@ function $SanitizeProvider() {
           out(tag);
           forEach(attrs, function(value, key) {
             var lkey = lowercase(key);
-            var isImage = (tag === 'img' && lkey === 'src') || (lkey === 'background');
+            var isImage = (tag === 'img' && lkey === 'src') || (lkey === 'background') || (tag === 'image' && (lkey === 'href' || lkey === 'xlink:href'));
             if (validAttrs[lkey] === true &&
               (uriAttrs[lkey] !== true || uriValidator(value, isImage))) {
               out(' ');