VYPR
← All advisories
Low severityNVD Advisory· Published Sep 9, 2024· Updated Nov 3, 2025

AngularJS improper sanitization in 'srcset' attribute

CVE-2024-8372

Description

Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .

This issue affects AngularJS versions 1.3.0-rc.4 and greater.

Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AngularJS versions 1.3.0-rc.4+ fail to sanitize the 'srcset' attribute, allowing attackers to bypass image source restrictions and conduct content spoofing.

Vulnerability

Overview

CVE-2024-8372 is an improper sanitization vulnerability in the AngularJS srcset attribute handling. The ngSrcset, ngAttrSrcset, and ngPropSrcset directives do not properly validate and sanitize the value of the srcset attribute, which is used to define multiple image sources for responsive web designs. An attacker can craft a malicious value that bypasses common domain-based or pattern-based restrictions intended to limit which image sources are allowed. This affects AngularJS versions 1.3.0-rc.4 and greater [1][2][3].

Exploitation

Method

The vulnerability lies in the sanitization logic for the srcset attribute. By providing a specially crafted input—for example, a URL with unexpected characters or encoding—the attacker can evade restrictions such as only allowing images from a specific trusted domain. No authentication is required if the vulnerability is exposed through a page that reflects user input (e.g., a search box or comment) into AngularJS template expressions. The attack surface is broad: any AngularJS application that dynamically binds the srcset attribute using user-supplied data could be exploited [2][3].

Impact

Successful exploitation allows an attacker to bypass image source restrictions and inject arbitrary image URLs. This can lead to content spoofing—a type of injection where the attacker manipulates what the user sees within the trusted domain context. For example, an attacker could display a malicious image that appears to be from the legitimate site, potentially tricking users into performing unintended actions [2][3].

Mitigation and

Status

The AngularJS project reached end-of-life in January 2022 and will not provide official fixes for this vulnerability [1][2]. However, third-party patches are available in community-supported extended versions: AngularJS NES v1.9.6, v1.5.22, and v1.4.16 [3]. Users are strongly advised to migrate to the actively supported Angular framework (angular.io). As a workaround, avoid using srcset attribute direct binding with user-controlled input, and apply server-side output encoding [2][3].

References
  1. GitHub - angular/angular.js: AngularJS - HTML enhanced for web apps!
  2. NVD - CVE-2024-8372
  3. Vulnerability Directory | CVE-2024-8372 | AngularJS

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
angularnpm
>= 1.3.0-rc.4, <= 1.8.3

Affected products

6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.