CVE-2024-21490

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.

Note:

This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.

Published: Feb 10, 2024
Updated: May 4, 2025
CVE: CVE-2024-21490
GHSA: GHSA-4w4v-5hc9-xrr2
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-1333

Affected Software
References

Software	From	Fixed in
@schematics / angular	1.3.0	1.8.3.x
org.webjars.npm / angular	1.3.0	1.8.3.x
org.webjars.bower / angular	1.3.0	1.8.3.x
angularjs / angular.js	1.3.0	1.3.0.x

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS

Vulnerability Database

289,599

CVE-2024-21490