By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-21490

ReDoS Vulnerability
Affects
AngularJS
in
AngularJS
No items found.
Versions
>=1.3.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Steps to Reproduce

Starting with version 1.3.0 of Angular, it’s possible to conduct a Regular Expression Denial of Service (ReDoS) attack. Because the package uses a regular expression to split the value of the ng-srcset directive, if a malicious actor carefully composes an ng-scset value, this can cause catastrophic backtracking and monopolize system resources. A proof of concept demonstrating this exploit is available on StackBlitz.

Addressing the Issue

The fix for this exploit is available in AngularJS XLTS/NES versions 1.9.3 and 1.5.19; site owners should update to these versions.

Learning and Prevention

ReDoS attacks have the target system attempt to solve a regular expression pattern match that will take a long time (thereby denying service to legitimate users of the system). It’s a form of a Denial of Service (DDoS) attack.

In the attack, the regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. In this case, when the browser attempts to resolve a regular expression carefully crafted by the attacker, the browser may spend an extraordinary amount of time returning a result as it backtracks to try alternative matches.

Conclusion

The fix described in this vulnerability is present in AngularJS XLTS/NES versons 1.9.3 and 1.5.19 and is immediately available to HeroDevs AngularJS Never-Ending Support clients. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.

Resources

NIST 2024-21490 entry

Pink arrow
Pink arrow
CVE-2019-10768
CVE-2020-7676
CVE-2022-25844
CVE-2022-25869
CVE-2023-26116
CVE-2023-26117
CVE-2023-26118
CVE-2024-21490
CVE-2024-33665
CVE-2024-8373
CVE-2024-8372
CVE-2025-0716
CVE-2025-2336
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-21490
PROJECT Affected
AngularJS
Versions Affected
>=1.3.0
Published date
February 10, 2024
≈ Fix date
August 1, 2023
Fixed in
NES for AngularJS
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
ReDoS Vulnerability
Sign up for the latest vulnerability alerts fixed in
NES for AngularJS
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.