Listen to this Post
This DoS vulnerability resides in AngularJS (1.7.0 and later) when a custom locale rule allows an attacker to assign a very long string to the `posPre` parameter of NUMBER_FORMATS.PATTERNS
</code>. While the original report focuses on number formatting, the same unvalidated input pattern can be abused in date‑formatting flows – e.g., when an excessively long date‑format string is supplied to `formatDate` (or the <code>DatePipe</code>). The internal parser splits the string iteratively using a regular‑expression loop, causing catastrophic backtracking. This consumes 100% CPU and exhausts memory, leading to a full Denial of Service.
In Server‑Side Rendering (SSR) the attack crashes the Node.js process with a heap‑out‑of‑memory error, taking the whole application offline. In Client‑Side Rendering (CSR) the main thread is blocked, freezing the browser tab. The vulnerability is exploitable only when the date‑format string is user‑controlled; hardcoded or well‑validated format strings are safe.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: AngularJS
Version: 1.7.0+
Vulnerability: Regular Expression DoS
Severity: Moderate
date: 2022‑05‑01
<h2 style="color: blue;">Prediction: 2022‑05‑04</h2>
<h2 style="color: blue;">What Undercode Say</h2>
[bash]
Check vulnerable AngularJS version
npm list angular | grep angular@1
Simulate attack (conceptual - triggers ReDoS in formatDate)
node -e "const {formatDate} = require('@angular/common'); formatDate(new Date(), 'y'.repeat(50000), 'en');"
The above command forces the date parser to process a 50,000‑character format string, causing CPU saturation and memory exhaustion.
Exploit
An attacker supplies a maliciously long date‑format string (e.g., 'y'.repeat(50000)) through any user‑controllable input, such as a query parameter, a preference field, or an API payload. When the application passes this string to `formatDate` or DatePipe, the internal regex engine enters catastrophic backtracking, looping repeatedly and allocating excessive memory.
Protection
- Upgrade – AngularJS 1.7.0 and later are vulnerable; upgrade to the latest version (though AngularJS is deprecated, switch to a modern Angular version for full security).
- Input validation – Restrict the length of any user‑supplied format string (e.g., max 50 characters) and reject any input that exceeds the limit.
- Use allowlists – Only permit a predefined set of safe format strings (e.g.,
'mediumDate','shortTime') and reject free‑form format input. - Web Application Firewall (WAF) – Deploy a WAF rule to block requests containing extremely long format parameters.
Impact
- SSR applications – The Node.js process crashes, causing a full application outage for all users.
- CSR applications – The browser tab becomes completely unresponsive, degrading the user experience to the point of unusability.
- Resource exhaustion – High CPU usage and memory leaks can also affect other processes running on the same host.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
