Description
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ‘ ‘.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.
Note: 1.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.7.0
References
- GHSA-m2h2-264f-f486
- snyk.io
- stackblitz.com
- lists.debian.org
- lists.fedoraproject.org
- security.netapp.com
- CVE-2022-25844
- CWE-1333
- CWE-770
- CAPEC-310
- OWASP 2021-A6
Related Issues
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsing - CVE-2024-1899
- angular vulnerable to regular expression denial of service via the $resource service - CVE-2023-26117
- steal vulnerable to Regular Expression Denial of Service via input variable - CVE-2022-37260
You might also like:
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 03, 2025