MEDIUM · CVSS 5.3
CVE-2024-21490 — Angular.js ReDoS in inline formatter
A ReDoS in Angular.js's input-type handling lets crafted user input block the browser render loop on legacy Angular.js apps.
Affects
- angular.js ≤ 1.8.3 (legacy)
What an attacker does
Applications still running Angular.js (pre-Angular, EOL December 2021) are vulnerable. Attacker-controlled input to specific input-type directives triggers catastrophic backtracking in the browser regex engine.
How to detect
Check package.json for `angular` (Angular.js) vs `@angular/core` (modern Angular).
How to fix
Migrate off Angular.js. There is no patched version; Angular.js is EOL.
How Securie catches it
Securie warns on any Angular.js dependency as EOL.