the state of javascript frameworks security report 2019

JavaScript frameworks security report 2019

| By Liran Tal

Welcome to Snyk’s State of JavaScript frameworks security report 2019.

In this report, we investigate the state of security for both the Angular and React ecosystems. This report by no means intends to venture into any rivalries that may exist between the two in terms of whether one or the other is a true framework – we are not comparing them as competitive frameworks at all. Instead, we review them each as viable frontend ecosystem alternatives for building your JavaScript projects, while focusing on security risks and best practices for each and the differences between them.

We highly recommend to download the full version of the report in its digital format, but have also made the following general sections available as blog posts:

This report covers:

  • the security practices for each of the two different core projects, both Angular and React
  • the state of security of each of the two different module ecosystems, based on an in-depth look at the vulnerabilities contained in each of the ecosystems
  • the security practices for other common JavaScript frontend framework alternatives such as Vue.js, Bootstrap and jQuery
  • the significant security differences between the different alternatives, and particularly between Angular and React

JavaScript frameworks security report 2019 key takeaways

Following are key takeaways from our report’s findings.

Angular vs. React core project securityAngular vs. React module ecosystem security
🔘Angular contains twenty three security vulnerabilities in its legacy AngularJS project (Angular v1.x). 🔘 Both React and Angular module ecosystems exhibit security vulnerabilities in highly popular frontend library components spanning millions of downloads, some of which have no security fix available to date.
🔘No security vulnerabilities were identified in the core Angular framework components.🔘We have witnessed malicious modules impacting both the Angular and the React ecosystems with an attempt to harvest credit cards, passwords and other sensitive information used in frontend web applications.
🔘React has a few security vulnerabilities; vulnerabilities seem to be regularly found in its core libraries and disclosed every couple of years.🔘The Next.js framework exhibited a great commitment to security by swiftly addressing all five vulnerabilities found throughout the lifetime of their project, offering fixes within just one week.
🔘Only one React core project vulnerability has an official CVE assigned. None of the reported Angular vulnerabilities are listed by CVE at all. Together, these prove the need for a vulnerability database that taps into open source community activities, in order to surface relevant security issues.
🔘Snyk reports twenty six security vulnerabilities across Angular and React core projects, which npm audit falls short of in its reports.

A word about CVE and security vulnerabilities

In order to investigate the overall security posture of each of the ecosystems included in this report, amongst the factors we discuss are security vulnerabilities identified in the different relevant packages. We review and discuss these vulnerabilities on the landscape of, and sometimes in comparison to, known vulnerabilities.

Known vulnerabilities have been assigned an identification number in the list of Common Vulnerabilities and Exposures (CVEs) maintained by the CVE Numbering Authorities (CNAs). CVEs are assigned CVSS scores that provide insight into how severe the listed vulnerabilities are. Learn more about how the severities of vulnerabilities are scored via their CVSS here.


Angular vs. React security postureFrontend ecosystem security
🔘Angular has visible and attainable security guidelines, a security contact and a responsible disclosure policy, all of which are missing from the React project.🔘jQuery was downloaded more than 120 million times in the last 12 months and according to W3Techs, jQuery v1.x is used in 84% of all websites using jQuery, which have four medium severity XSS vulnerabilities affecting it. In fact, if you’re not using jQuery v3.4.0 and above, which is true for the majority of jQuery users, then you are using a version that includes security vulnerabilities.
🔘Angular has broader built-in support for data sanitization and output encoding in different contexts such as URL attributes in HTML anchor (or, link) elements.🔘Bootstrap has been downloaded 79,185,409 times in the past twelve months, all while containing seven Cross-Site Scripting (XSS) vulnerabilities. Three of these were disclosed in 2019. Notable community modules such as bootstrap-markdown have more than 300,000 downloads in the same time frame, despite having no security fix or upgrade path to its XSS vulnerabilities. bootstrap-select features more than two million downloads and has a high severity XSS vulnerability that the Snyk research team surfaced with the help of their proprietary threat intelligence system.
🔘React doesn’t have built-in controls for data sanitization, but rather encodes output by default in most cases and leaves it up to developers to address unhandled cases such as refs and URL attributes (the latter of which is addressed in the React v16.9.0 release).🔘The Vue.js framework has been downloaded more than 40 million times this past 12 months and records four vulnerabilities in total for Vue.js core, all of which have been fixed.
🔘Angular includes support for Cross-Site Request Forgery (CSRF) vulnerabilities with a built-in security mechanism in its HTTP service. React developers need to address these issues independently.

Continue to read the Angular vs React: Security Bakeoff 2019 or download the full report.

This report reviews the overall security of each framework, their community-powered module ecosystems and the associated security risks with each; based on these insights, this report ultimately provides actionable security advice for Angular and React users by highlighting best security practices employed in the field in order to ensure secure code.