CVE-2024-21490: Inefficient Regular Expression Complexity

February 10, 2024 (updated April 4, 2024)

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.

References

github.com/advisories/GHSA-4w4v-5hc9-xrr2
nvd.nist.gov/vuln/detail/CVE-2024-21490
security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos

Code Behaviors & Features

Detect and mitigate CVE-2024-21490 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →