CVE-2024-21490

CVSS V2 None CVSS V3 None

Description

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Overview

CVE ID
CVE-2024-21490

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-02-10T05:00:01.641Z

Last Modified Date
2024-03-06T14:09:37.365Z

Weakness Enumerations

CWE	URL
CWE-1333	http://cwe.mitre.org/data/definitions/1333.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21490
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21490

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 15:10:11				Added to TrackCVE