High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2024-21490
High
Low
Medium
High
Critical
7.5
CVSS Score
Published: Feb 10, 2024
Last Modified: Nov 03, 2025
Vulnerability Description
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
**Note:**
This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Known Affected Software
71 configuration(s) from 1 vendor(s)
angular.js
Version:
1.4.14
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.14:*:*:*:*:*:*:*
angular.js
Version:
1.4.10
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.10:*:*:*:*:*:*:*
angular.js
Version:
1.3.4
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.4:*:*:*:*:*:*:*
angular.js
Version:
1.3.15
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.15:*:*:*:*:*:*:*
angular.js
Version:
1.3.17
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.17:*:*:*:*:*:*:*
angular.js
Version:
1.3.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.0:-:*:*:*:*:*:*
angular.js
Version:
1.3.18
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.18:*:*:*:*:*:*:*
angular.js
Version:
1.7.3
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.3:*:*:*:*:*:*:*
angular.js
Version:
1.3.20
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.20:*:*:*:*:*:*:*
angular.js
Version:
1.3.2
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.2:*:*:*:*:*:*:*
angular.js
Version:
1.5.11
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.11:*:*:*:*:*:*:*
angular.js
Version:
1.3.10
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.10:*:*:*:*:*:*:*
angular.js
Version:
1.4.7
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.7:*:*:*:*:*:*:*
angular.js
Version:
1.7.5
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.5:*:*:*:*:*:*:*
angular.js
Version:
1.4.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.0:-:*:*:*:*:*:*
angular.js
Version:
1.5.7
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.7:*:*:*:*:*:*:*
angular.js
Version:
1.3.14
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.14:*:*:*:*:*:*:*
angular.js
Version:
1.4.5
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.5:*:*:*:*:*:*:*
angular.js
Version:
1.6.10
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.10:*:*:*:*:*:*:*
angular.js
Version:
1.6.9
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.9:*:*:*:*:*:*:*
angular.js
Version:
1.7.1
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.1:*:*:*:*:*:*:*
angular.js
Version:
1.4.1
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.1:*:*:*:*:*:*:*
angular.js
Version:
1.3.9
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.9:*:*:*:*:*:*:*
angular.js
Version:
1.5.2
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.2:*:*:*:*:*:*:*
angular.js
Version:
1.6.4
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.4:*:*:*:*:*:*:*
angular.js
Version:
1.5.10
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.10:*:*:*:*:*:*:*
angular.js
Version:
1.7.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.0:-:*:*:*:*:*:*
angular.js
Version:
1.5.9
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.9:*:*:*:*:*:*:*
angular.js
Version:
1.5.4
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.4:*:*:*:*:*:*:*
angular.js
Version:
1.7.7
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.7:*:*:*:*:*:*:*
angular.js
Version:
1.3.8
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.8:*:*:*:*:*:*:*
angular.js
Version:
1.3.5
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.5:*:*:*:*:*:*:*
angular.js
Version:
1.6.1
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.1:*:*:*:*:*:*:*
angular.js
Version:
1.5.1
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.1:*:*:*:*:*:*:*
angular.js
Version:
1.4.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.6:*:*:*:*:*:*:*
angular.js
Version:
1.5.8
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.8:*:*:*:*:*:*:*
angular.js
Version:
1.4.4
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.4:*:*:*:*:*:*:*
angular.js
Version:
1.6.2
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.2:*:*:*:*:*:*:*
angular.js
Version:
1.4.9
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.9:*:*:*:*:*:*:*
angular.js
Version:
1.4.13
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.13:*:*:*:*:*:*:*
angular.js
Version:
1.5.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.6:*:*:*:*:*:*:*
angular.js
Version:
1.3.3
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.3:*:*:*:*:*:*:*
angular.js
Version:
1.3.19
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.19:*:*:*:*:*:*:*
angular.js
Version:
1.6.7
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.7:*:*:*:*:*:*:*
angular.js
Version:
1.4.2
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.2:*:*:*:*:*:*:*
angular.js
Version:
1.4.8
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.8:*:*:*:*:*:*:*
angular.js
Version:
1.3.1
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.1:*:*:*:*:*:*:*
angular.js
Version:
1.6.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.0:-:*:*:*:*:*:*
angular.js
Version:
1.3.13
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.13:*:*:*:*:*:*:*
angular.js
Version:
1.7.2
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.2:*:*:*:*:*:*:*
angular.js
Version:
1.3.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.6:*:*:*:*:*:*:*
angular.js
Version:
1.4.11
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.11:*:*:*:*:*:*:*
angular.js
Version:
1.8.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.8.0:*:*:*:*:*:*:*
angular.js
Version:
1.7.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.6:*:*:*:*:*:*:*
angular.js
Version:
1.3.11
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.11:*:*:*:*:*:*:*
angular.js
Version:
1.5.5
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.5:*:*:*:*:*:*:*
angular.js
Version:
1.6.3
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.3:*:*:*:*:*:*:*
angular.js
Version:
1.4.3
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.3:*:*:*:*:*:*:*
angular.js
Version:
1.3.12
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.12:*:*:*:*:*:*:*
angular.js
Version:
1.5.0
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.0:-:*:*:*:*:*:*
angular.js
Version:
1.7.9
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.9:*:*:*:*:*:*:*
angular.js
Version:
1.6.5
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.5:*:*:*:*:*:*:*
angular.js
Version:
1.7.8
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.8:*:*:*:*:*:*:*
angular.js
Version:
1.3.16
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.16:*:*:*:*:*:*:*
angular.js
Version:
1.9.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.9.6:*:*:*:*:*:*:*
angular.js
Version:
1.3.7
CPE:
cpe:2.3:a:angularjs:angular.js:1.3.7:*:*:*:*:*:*:*
angular.js
Version:
1.6.8
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.8:*:*:*:*:*:*:*
angular.js
Version:
1.6.6
CPE:
cpe:2.3:a:angularjs:angular.js:1.6.6:*:*:*:*:*:*:*
angular.js
Version:
1.5.3
CPE:
cpe:2.3:a:angularjs:angular.js:1.5.3:*:*:*:*:*:*:*
angular.js
Version:
1.7.4
CPE:
cpe:2.3:a:angularjs:angular.js:1.7.4:*:*:*:*:*:*:*
angular.js
Version:
1.4.12
CPE:
cpe:2.3:a:angularjs:angular.js:1.4.12:*:*:*:*:*:*:*
This vulnerability affects 71 software configuration(s). Ensure you patch all affected systems.
Canonical (Ubuntu)
USN-7958-1
USN-7958-1: AngularJS vulnerabilities
Severity
Unknown
Released
Jan 14, 2026
Security Update
References & Resources
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746report@snyk.io Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747report@snyk.io Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113report@snyk.io Third Party Advisory
-
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redosreport@snyk.io Exploit Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redosaf854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory
-
https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoSaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
Severity Details
7.5
out of 10.0
High
Key Information
- Published Date
- February 10, 2024
