Impact
AngularJS includes a Strict Contextual Escaping subsystem that is supposed to filter resource URLs to prevent the execution of dangerous scripts. The flaw lies in the regular‑expression matching logic used to detect safe URLs; certain patterns trigger only a partial match, allowing a crafted URL to slip through the filter. An attacker can supply such a URL in a user‑controlled field that is bound to a resource URL, causing the browser to load and execute the embedded JavaScript within the victim’s session. The weakness is classified as CWE‑79 (Cross‑Site Scripting) and CWE‑791 (Untrusted Input), resulting in untrusted input being used in a security‑critical context.
Affected Systems
The affected product is AngularJS distributed by Google. All releases of AngularJS from version 1.2.0-rc.3 onward are vulnerable, and the project has reached End‑of‑Life, meaning no further security updates will be released.
Risk and Exploitability
The CVSS score of 7.6 indicates a high severity. An EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The client‑side attack vector allows a malicious actor to introduce a specially crafted URL into any AngularJS‑controlled page that accepts untrusted input. Because the flaw bypasses internal sanitization, an attacker who can influence content bound to a resource URL could hijack sessions, steal, or perform other malicious actions within the victim’s browser session.
OpenCVE Enrichment