Angular Users Beware of Regular Expression Denial of Service Vulnerability

CVECVE-2024-21490
CVSScvssV3_1: 7.5
SourceCVE-2024-21490

The popular JavaScript framework Angular is affected by a vulnerability in versions prior to 1.3.0 that could allow attackers to cause denial of service through a regular expression.

The issue arises in how Angular handles the ng-srcset directive, which is used to specify images for responsive layouts. A regular expression used to split the value was susceptible to “catastrophic backtracking” when passed very long input crafted in a specific way.

Catastrophic backtracking occurs when a regular expression is allowed to recurse deeply into patterns that don’t match the input. This can consume significant computational resources and lead to the application becoming unresponsive.

An attacker could exploit this by crafting a long string that triggers the effect when passed to ng-srcset. This would cause the application to hang or crash, denying service to legitimate users.

The vulnerability has been addressed in newer versions of Angular by reworking the regular expression. However, versions prior to 1.3.0 are still at risk.

If you use an older version of Angular, it’s recommended to upgrade to the latest for security. Alternatively, consider migrating your application to the newer [@angular/core](https://www.npmjs.com/package/@angular/core) package which is actively supported. Be vigilant of regular expression vulnerabilities and keep your dependencies up-to-date.

References