A security update for AngularJS has been released for Debian GNU/Linux 12 (Bookworm), addressing multiple vulnerabilities identified in the framework. This update is documented in Debian LTS Advisory DLA-4242-1, issued on July 20, 2025, by Bastien Roucariès.
The update includes fixes for several vulnerabilities, each associated with specific CVE IDs. Notable issues include:
- CVE-2022-25844: A Regular Expression Denial of Service (ReDoS) vulnerability related to custom locale rules.
- CVE-2023-26116 and CVE-2023-26117: ReDoS vulnerabilities linked to the angular.copy() utility function and the $resource service, respectively, both stemming from insecure regular expressions.
- CVE-2024-8372 and CVE-2024-8373: These involve improper sanitization of the 'srcset' attribute, allowing content spoofing through bypassing image source restrictions.
- CVE-2024-21490: Another ReDoS issue due to an insecure regular expression in the ng-srcset directive.
- CVE-2025-0716 and CVE-2025-2336: Vulnerabilities in sanitizing 'href' attributes of SVG elements and in the ngSanitize module, respectively, which can also lead to content spoofing.
For users running Debian 11 (Bullseye), the issues have been resolved in version 1.8.3-1+deb12u1~deb11u1. It is recommended that users upgrade their AngularJS packages to ensure protection against these vulnerabilities.
For detailed security status and further information regarding the update process, users are encouraged to visit the security tracker page for AngularJS and the Debian LTS wiki.
Extension: It is crucial for users and administrators of systems running AngularJS, particularly on Debian distributions, to stay informed about such security updates. Regularly checking for updates not only helps in mitigating risks associated with known vulnerabilities but also ensures the overall integrity and security of applications built on the AngularJS framework. Adopting best practices for security, such as implementing robust input validation and sanitization, can further enhance protection against potential attacks that exploit these vulnerabilities. Additionally, organizations should consider establishing a routine for maintaining software dependencies, including automated alerts for updates and patches to facilitate timely responses to security advisories
The update includes fixes for several vulnerabilities, each associated with specific CVE IDs. Notable issues include:
- CVE-2022-25844: A Regular Expression Denial of Service (ReDoS) vulnerability related to custom locale rules.
- CVE-2023-26116 and CVE-2023-26117: ReDoS vulnerabilities linked to the angular.copy() utility function and the $resource service, respectively, both stemming from insecure regular expressions.
- CVE-2024-8372 and CVE-2024-8373: These involve improper sanitization of the 'srcset' attribute, allowing content spoofing through bypassing image source restrictions.
- CVE-2024-21490: Another ReDoS issue due to an insecure regular expression in the ng-srcset directive.
- CVE-2025-0716 and CVE-2025-2336: Vulnerabilities in sanitizing 'href' attributes of SVG elements and in the ngSanitize module, respectively, which can also lead to content spoofing.
For users running Debian 11 (Bullseye), the issues have been resolved in version 1.8.3-1+deb12u1~deb11u1. It is recommended that users upgrade their AngularJS packages to ensure protection against these vulnerabilities.
For detailed security status and further information regarding the update process, users are encouraged to visit the security tracker page for AngularJS and the Debian LTS wiki.
Extension: It is crucial for users and administrators of systems running AngularJS, particularly on Debian distributions, to stay informed about such security updates. Regularly checking for updates not only helps in mitigating risks associated with known vulnerabilities but also ensures the overall integrity and security of applications built on the AngularJS framework. Adopting best practices for security, such as implementing robust input validation and sanitization, can further enhance protection against potential attacks that exploit these vulnerabilities. Additionally, organizations should consider establishing a routine for maintaining software dependencies, including automated alerts for updates and patches to facilitate timely responses to security advisories
AngularJS security update for Debian 12
An AngularJS security update has been released for Debian GNU/Linux 12 (Bookworm):
[DLA 4242-1] angular.js security update
