CVE-2018-11537 in angular-jwt
Summary
by MITRE
Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2020
The vulnerability identified as CVE-2018-11537 affects the angular-jwt library version 0.1.10 and earlier, which is commonly used in authentication workflows for angular applications. This issue stems from the improper handling of domain whitelisting functionality within the jwtInterceptorProvider component of the library. The flaw manifests when the library processes whiteListedDomains entries, which are intended to define trusted domains for JWT token handling. Instead of treating these entries as literal domain strings, the library incorrectly interprets them as regular expressions, creating a significant security gap that can be exploited by attackers.
The technical implementation of this vulnerability involves the library's domain validation mechanism where it fails to properly sanitize or escape the whiteListedDomains entries before using them in regular expression matching operations. When an attacker knows the specific configuration of jwtInterceptorProvider.whiteListedDomains, they can craft a malicious domain string that, when processed as a regular expression, bypasses the intended whitelist filtering. This occurs because regular expressions interpret certain characters and patterns in ways that can circumvent the domain validation logic, allowing unauthorized domains to pass through the security filter that was meant to prevent cross-origin request forgery or token injection attacks.
The operational impact of this vulnerability extends beyond simple authentication bypasses and can lead to serious security consequences including token hijacking, cross-site request forgery attacks, and potential data exposure. An attacker who can influence the whiteListedDomains configuration or knows its current state can manipulate the regular expression matching to allow unauthorized domains to access protected resources. This weakness directly violates the principle of least privilege and can enable attackers to escalate their privileges or access sensitive information that should be restricted to legitimate domains. The vulnerability affects applications that rely on angular-jwt for managing JWT tokens and implementing domain-based access controls, potentially compromising the entire authentication flow of affected systems.
Organizations should immediately update to angular-jwt version 0.1.10 or later where this vulnerability has been addressed through proper input sanitization and regular expression handling. The fix typically involves ensuring that domain entries are properly escaped or treated as literal strings rather than regular expressions during validation. Additionally, security teams should conduct thorough audits of their authentication configurations and review all domain whitelisting implementations to ensure no similar vulnerabilities exist in other components of their authentication infrastructure. This vulnerability aligns with CWE-185, which addresses improper regular expression handling, and can be mapped to ATT&CK technique T1566 related to credential access through social engineering or application exploitation. Organizations should also consider implementing additional security controls such as token binding, strict content security policies, and monitoring for unusual authentication patterns to further mitigate the risk of exploitation.