CVE-2024-21490

Summary

This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.

Affected Software

VendorProductVersion RangeStatus
n/aangular1.3.0 < *affected
n/aorg.webjars.bower:angular1.3.0 < *affected
n/aorg.webjars.npm:angular1.3.0 < *affected
n/aangularjs1.3.0 < *affected

Weaknesses

  • CWE-1333: Regular Expression Denial of Service (ReDoS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References