CVE-2024-8372 - How Improper [srcset] Sanitization in AngularJS Exposes Users to Content Spoofing
Published: June 2024
By: [YourName/Organization]
Summary:
A newly disclosed vulnerability, CVE-2024-8372, affects AngularJS versions 1.3.-rc.4 and above, exposing users to content spoofing through improper sanitization of the [srcset] attribute. This post will walk you through the details of this flaw, including example exploit code, its security impact, and references for further reading.
What is CVE-2024-8372?
AngularJS, a widely used JavaScript frontend framework, includes built-in sanitization to prevent attackers from injecting malicious content, especially in attributes like src, href, or srcset in image tags.
The vulnerability lies in improper filtering of the srcset attribute. While most other attributes are properly sanitized to block dangerous or untrusted URLs, srcset can be abused to include disallowed sources. Attackers can use this bypass to inject images from restricted sources or deliver misleading (spoofed) content.
Why is It Dangerous?
Because images are often used for branding, user interface elements, status icons, and critical information, malicious or spoofed content in images can:
Deliver images from attacker-controlled servers (for phishing, click-tracking, etc).
- Expose users and applications to further attacks, such as session hijacking or even XSS in chained scenarios.
OWASP has a good primer on Content Spoofing Attacks.
Who Is Affected?
All applications using AngularJS between versions 1.3.-rc.4 and up to (and including) the final release are affected. This is particularly serious because the AngularJS project is End-of-Life and will not receive any patches for this bug.
> See AngularJS End-of-Life notice:
> https://docs.angularjs.org/misc/version-support-status
How Does the Exploit Work?
Normally, AngularJS sanitizes image src attributes and strips out values beginning with javascript:, data:, or other non-permitted protocols.
However, researchers found that the srcset attribute is not sanitized properly, and an attacker can supply a value that would be blocked on src, but is accepted on srcset. Browsers will happily load images from malicious or unrestricted sources, even if src is limited.
Suppose you have a template binding user-provided values to an image's srcset
<!-- BAD: user data bound directly into srcset -->
<img ng-srcset="{{maliciousInput}}">
If an attacker submits the following input
javascript:alert(1) 1x, https://evil.com/logo.png 2x
In a secure context, the javascript: URL would be blocked.
But in AngularJS up to v1.8.x, this is not filtered out of srcset!
As a result, browsers could process a malicious image or, depending on policy, even execute script or deliver a spoofed image.
Suppose your template looks like this
<img ng-srcset="{{user.pictureLinks}}">
A payload sent to your server
{
"pictureLinks": "https://victim.com/logo.png 1x, https://evil.com/fake.png 2x"
}
AngularJS will render the image HTML as
<img srcset="https://victim.com/logo.png 1x, https://evil.com/fake.png 2x">
On a retina display or with 2x resolution requirements, the browser will download https://evil.com/fake.png without any restrictions.
If your UI displays trusted images—like company logos or verified user badges—an attacker can spoof or replace these images to trick users.
Move to a modern supported frontend framework such as Angular 2+, React, or Vue.js.
Remove or Limit [srcset] Binding:
Do not bind user-provided or untrusted values directly to srcset. Either use a safe whitelist of image URLs or omit srcset entirely.
Additional Sanitization:
Manually validate all attributes and filter srcset values at the server or application logic level. Allow only trusted image sources.
References
- CVE Listing: (add official CVE link, if/when assigned)
- OWASP Content Spoofing
- AngularJS EOL Notice
[Bug Report or Public Disclosure - if any available, link here]
No patches are coming; AngularJS has reached End-of-Life.
- Remove user-controlled bindings to [srcset], validate image sources, and plan to migrate frameworks if you rely on AngularJS for critical apps.
- Always apply the principle of least privilege and defense-in-depth, especially for deprecated and unsupported software stacks.
Stay informed, keep your dependencies up-to-date, and take this as a reminder that end-of-life software can expose you and your users to unexpected risks.
Timeline
Published on: 09/09/2024 15:15:12 UTC
Last modified on: 09/17/2024 17:24:21 UTC