Description
Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge() does not restrict the modification of an Object’s prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
Update the angular package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.7.9
- Patched version(s): 1.7.9
References
- GHSA-89mq-4x47-5v83
- snyk.io
- lists.apache.org
- CVE-2019-10768
- CWE-1321
- CWE-20
- CWE-915
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372
- angular vulnerable to super-linear runtime due to backtracking - CVE-2024-21490
- angular vulnerable to regular expression denial of service via the angular.copy() utility - CVE-2023-26116
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 20, 2025