Description
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ‘ ‘.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.
Note: 1.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.7.0
References
- GHSA-m2h2-264f-f486
- snyk.io
- stackblitz.com
- lists.debian.org
- lists.fedoraproject.org
- security.netapp.com
- CVE-2022-25844
- CWE-1333
- CWE-770
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373
- AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 03, 2025