CVE-2022-25844

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. Note: 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

Published: May 1, 2022
Updated: May 9, 2024
CVE: CVE-2022-25844
GHSA: GHSA-m2h2-264f-f486
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-770
CWE-1333

Affected Software
References

Software	From	Fixed in
angularjs / angular	1.7.0	1.7.0.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
@schematics / angular	1.7.0	-

https://lists.fedoraproject.org/archives/list/[email protected]/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/
https://lists.fedoraproject.org/archives/list/[email protected]/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/
https://security.netapp.com/advisory/ntap-20220629-0009/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
https://stackblitz.com/edit/angularjs-material-blank-zvtdvb

Vulnerability Database

289,599

CVE-2022-25844