Description
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.3.0, <= 1.8.3
References
- GHSA-4w4v-5hc9-xrr2
- security.snyk.io
- stackblitz.com
- support.herodevs.com
- lists.debian.org
- CVE-2024-21490
- CWE-1333
- CAPEC-310
- OWASP 2021-A6
Related Issues
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - jose-node-cjs-runtime - CVE-2024-28176
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - jose-node-esm-runtime - CVE-2024-28176
- angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
- Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsing - CVE-2024-1899
You might also like:
- Tags:
- npm
- angular
Anything's wrong? Let us know
Last updated on November 03, 2025