CVE-2024-21490

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Esto afecta a las versiones del paquete angular desde 1.3.0. Una expresión regular utilizada para dividir el valor de la directiva ng-srcset es vulnerable a un tiempo de ejecución superlineal debido al retroceso. Con una gran cantidad de información cuidadosamente elaborada, esto puede resultar en un retroceso catastrófico y provocar una denegación de servicio. **Nota:** Este paquete está en EOL y no recibirá ninguna actualización para solucionar este problema. Los usuarios deben migrar a [@angular/core](https://www.npmjs.com/package/@angular/core).

*Credits: George Kalpakas

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-22 CVE Reserved
2024-02-10 CVE Published
2024-03-07 EPSS Updated
2024-08-01 CVE Updated
2024-08-01 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (5)

URL	Tag	Source
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113	Third Party Advisory
https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS

URL	Date	SRC
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos	2024-08-01

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Angular Search vendor "Angular"		Angular Search vendor "Angular" for product "Angular"				>= 1.3.0 Search vendor "Angular" for product "Angular" and version " >= 1.3.0"		node.js		Affected