AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6)
- Severity:
- Low
Description
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.8.3
References
- GHSA-mqm9-c95h-x2p6
- codepen.io
- www.herodevs.com
- security.netapp.com
- lists.debian.org
- CVE-2024-8373
- CWE-791
- CAPEC-310
- OWASP 2021-A6
Related Issues
- AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server - CVE-2024-11023
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 03, 2025