AngularJS improper sanitization in '<source>' element
Description
Improper sanitization of the value of the [srcset] attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AngularJS fails to sanitize the `srcset` attribute on `` elements, allowing attackers to bypass image source restrictions and perform content spoofing.
Vulnerability
Description
CVE-2024-8373 is an improper sanitization vulnerability in AngularJS that affects all versions of the framework. The bug lies in the handling of the [srcset] attribute on ` HTML elements. AngularJS normally applies image source sanitization to and elements to restrict which domains can be used for images, but this sanitization is bypassed when setting the srcset attribute via the ngAttrSrcset` directive or interpolation [1][2].
Attack
Vector and Prerequisites
An attacker can exploit this vulnerability by injecting a malicious URL into the srcset attribute of a `` element. This can be achieved through any mechanism that allows user-controlled input to be bound to the attribute, such as template injection or cross-site scripting (XSS) vectors. No authentication is required if the application renders user-supplied data in AngularJS templates. The attacker only needs to be able to provide content that the application processes as part of a template [2][3].
Impact
Successful exploitation allows an attacker to bypass restrictions on image sources, enabling them to load images from arbitrary external domains. This can be leveraged for content spoofing, where the attacker injects misleading content into a page displayed under the context of the trusted domain. This attack can be used for phishing, defacement, or other forms of UI manipulation [2][3].
Mitigation and
Status
The AngularJS project is End-of-Life (EOL) and will not receive official patches for this vulnerability [1][2]. However, third-party support providers (e.g., HeroDevs) have released patched versions such as AngularJS NES v1.9.6, v1.5.22, and v1.4.16. Users still running AngularJS should apply one of these secure versions or migrate to the actively supported Angular framework [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | <= 1.8.3 | — |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/solrpkg:apk/chainguard/solr-oci-compatpkg:apk/wolfi/solrpkg:apk/wolfi/solr-oci-compatpkg:npm/angular
< 9.8.1-r0+ 4 more
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: <= 1.8.3
- Google/AngularJSv5Range: >=0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0bghsatechnical-descriptionexploitWEB
- github.com/advisories/GHSA-mqm9-c95h-x2p6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8373ghsaADVISORY
- www.herodevs.com/vulnerability-directory/cve-2024-8373ghsathird-party-advisoryWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- security.netapp.com/advisory/ntap-20241122-0003ghsaWEB
News mentions
0No linked articles in our index yet.