MEDIUM · CVSS 5.3Disclosed 2024-05-20

CVE-2024-21490 — Angular.js ReDoS in inline formatter

A ReDoS in Angular.js's input-type handling lets crafted user input block the browser render loop on legacy Angular.js apps.

Affects

angular.js ≤ 1.8.3 (legacy)

What an attacker does

Applications still running Angular.js (pre-Angular, EOL December 2021) are vulnerable. Attacker-controlled input to specific input-type directives triggers catastrophic backtracking in the browser regex engine.

How to detect

Check package.json for `angular` (Angular.js) vs `@angular/core` (modern Angular).

How to fix

Migrate off Angular.js. There is no patched version; Angular.js is EOL.

Securie findingmedium · CVSS 5.3

CVE-2024-21490

How Securie catches CVE-2024-21490

Securie warns on any Angular.js dependency as EOL.

Scan my repo for CVE-2024-21490 →Securie reviews every PR · proves real issues · opens verified fix PRs

References

Snyk advisory