CVE-2024-21490
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/02/2024
Last modified:
16/01/2025
Description
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. <br />
<br />
<br />
**Note:**<br />
<br />
This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* | 1.3.0 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
- https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
- https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
- https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS