CVE-2025-4690: A ReDoS Vulnerability in AngularJS’s linky Filter

A newly disclosed vulnerability in AngularJS’s ngSanitize module poses a denial-of-service risk for applications still relying on the framework. Tracked as CVE-2025-4690, the flaw originates in the linky filter, which is used to transform URLs in plain text into safe, clickable HTML links. This issue impacts all versions of AngularJS and is classified as a Regular Expression Denial of Service (ReDoS).

The Risk Behind linky

The linky filter is a utility that appears in countless legacy AngularJS applications. At its core, it scans input text for URLs using a regular expression, converts them to sanitized HTML links, and injects the result back into the DOM.

However, the filter’s regular expression suffers from catastrophic backtracking—causing it to process certain malformed inputs with super-linear delay. This behavior can be exploited to monopolize system resources, either slowing the application to a crawl or taking it offline entirely.

In high-traffic production environments, even a single crafted request can create performance issues that escalate quickly. While the vulnerability is labeled as “Medium” severity, the practical impact can be severe—especially when untrusted input flows through unpatched code paths.

End-of-Life Software, Ongoing Risk

This vulnerability affects all versions of AngularJS, a framework that has been officially end-of-life for several years. With no upstream maintainers, organizations using AngularJS are left without community patches or guaranteed updates.

The problem isn’t just CVE-2025-4690. It’s the broader reality that once-reliable frameworks are becoming liabilities. Legacy software doesn’t stop running, but it does stop receiving the fixes that keep it safe in today’s threat landscape.

The HeroDevs Fix

At HeroDevs, we maintain Never-Ending Support for end-of-life frameworks like AngularJS. 

The vulnerability has been resolved in AngularJS NES v1.9.10 and v1.5.26.

These versions are fully drop-in replacements for legacy AngularJS applications. No rewrites, workarounds, or brittle mitigations required.

Our clients receive private security advisories, versioned updates, and guaranteed patch SLAs for supported products. We don’t wait for vulnerabilities to go public—we proactively find, fix, and secure frameworks.

Moving Forward

If your team is still running AngularJS in production, CVE-2025-4690 is another wake-up call. ReDoS issues are notoriously hard to detect and easy to exploit. Left unaddressed, they quietly create fragility in critical systems.

Never-Ending Support gives you time to plan a responsible migration without putting your business or customers at risk.

Contact our team to learn more about securing legacy frameworks with HeroDevs. Explore pricing.