CVE-2018-11537: Security Update for angular-jwt Allow List Bypass

Published: June 5, 2018

CVE number: CVE-2018-11537

Credit: Stephan Hauser


The domain allowlisting feature can be bypassed. For example, if the setting is initialized with:

jwtInterceptorProvider.whiteListedDomains = [''];

An attacker can set up a domain that will pass the allow list filter. The root cause for this is that angular-jwt always treats whiteListedDomains entries as regular expressions and causes . separator to match any character.

Am I affected?

If the following apply you are affected by this vulnerability:

  • You use a version of angular-jwt lower than 0.1.10

  • You use domain allow listing in your code

How to fix that?

Developers using the angular-jwt library need to upgrade to the latest version: 0.1.10.

Updated package is available on NPM: npm install angular-jwt@0.1.10

To make it easier to keep up with security updates in the future, please make sure your package.json file is updated to take patch and minor level updates of our libraries:

  "dependencies": {
    "angular-jwt": "^0.1.10"

Was this helpful?


Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.