GSA_kwCzR0hTQS1tMmgyLTI2NGYtZjQ4Ns3X3A

Moderate EPSS: 0.00451% (0.62934 Percentile) EPSS:

Permalink JSON

angular vulnerable to regular expression denial of service (ReDoS)

Affected Packages	Affected Versions	Fixed Versions
npm:angular PURL: `pkg:npm/angular`	>= 1.7.0	No known fixed version
4,616 Dependent packages 57,142 Dependent repositories 1,787,962 Downloads last month Affected Version Ranges All affected versions 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.8.0, 1.8.1, 1.8.2, 1.8.3

AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.

Note:

This package has been deprecated and is no longer maintained.
The vulnerable versions are 1.7.0 and higher.

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-25844
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
https://stackblitz.com/edit/angularjs-material-blank-zvtdvb
https://security.netapp.com/advisory/ntap-20220629-0009/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/
https://github.com/advisories/GHSA-m2h2-264f-f486

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS1tMmgyLTI2NGYtZjQ4Ns3X3A

angular vulnerable to regular expression denial of service (ReDoS)

Affected Version Ranges

All affected versions

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API