Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
This script needs to be public for it to function within the website
Prototype Pollution Exposure via Outdated AngularJS Loaded in Production (vendor.js)
Disclosed by WalidRiouah- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date about 2 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by WalidRiouah
This submission documents the use of an end-of-life JavaScript framework within a production environment.
The application loads a production JavaScript bundle containing AngularJS 1.7.3, which is no longer supported and affected by multiple publicly documented security issues.
A controlled proof of concept demonstrates how unsafe object handling in vulnerable client-side libraries may lead to Prototype Pollution, resulting in runtime modification of the JavaScript prototype chain.
Although no real-world exploitation or user impact was observed, the finding emphasizes the increased attack surface introduced by deprecated dependencies and reinforces the importance of keeping third-party components up to date.