CVE-2024-21490

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. 


**Note:**

This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
snykCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
angularjsangular.js
1.3.0 ≤
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
angular.js
bullseye
no-dsa
trixie
postponed
bookworm
postponed
buster
postponed
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
angular.js
plucky
needed
oracular
needed
noble
needed
mantic
ignored
jammy
needed
focal
needed
bionic
needed
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS