Listen to this Post
The vulnerability resides in the `formatNumber` function inside @angular/common, which is also used by DecimalPipe, PercentPipe, and CurrencyPipe. This function accepts an optional `digitsInfo` string that controls the decimal formatting (e.g., "1.2-4"). The string is parsed into minFractionDigits and maxFractionDigits without any upper bound validation.
An attacker can supply a crafted `digitsInfo` string containing an extremely large fraction-digit value, such as "1.200000000-200000000". When this happens, the internal `roundNumber` routine will attempt to pad the digits array to the requested size. Since there is no check on the magnitude of the requested fraction digits, the loop responsible for padding runs indefinitely, repeatedly pushing new elements onto an array. This leads to an unbounded loop that consumes all available CPU and memory.
Impact
- Server‑Side Rendering (SSR): The Node.js process crashes with a `JavaScript heap out of memory` error, causing a full denial of service for all users of the application.
- Client‑Side Rendering (CSR): The main browser thread is blocked, freezing the entire tab and making the application completely unresponsive.
Exploitation Preconditions
- The application must use any of the vulnerable formatting utilities (
formatNumber,DecimalPipe,PercentPipe, orCurrencyPipe). - The `digitsInfo` parameter must be under attacker control (e.g., read from a URL parameter, user preference, or an API response that accepts arbitrary formatting strings). If the parameter is hard‑coded or restricted to a small set of safe values, the vulnerability cannot be triggered from the outside.
Patches
Fixed versions:
– `22.0.0-rc.2`
– `21.2.15`
– `20.3.22`
– `19.2.23`
Credit
Discovered and reported by CodeMender from Google DeepMind.
DailyCVE Form
Platform: Angular
Version: < 22.0.0-rc.2
Vulnerability: DoS via digitsInfo
Severity: High
date: 2026-06-03
Prediction: Patches already available
What Undercode Say
Check if the server crashes with a malicious digitsInfo value curl -X GET "http://victim-app/api/format?value=123.456&digits=1.200000000-200000000"
Analytics insight: The attack forces the `roundNumber` helper to enter an unbounded array‑push loop. Monitoring the event loop delay and heap memory usage can help detect such anomalies.
Exploit
// Malicious input that triggers the unbounded loop const maliciousDigits = "1.200000000-200000000"; // Force the formatNumber call with the tainted parameter formatNumber(123.456, "en-US", maliciousDigits);
In an SSR context, sending a request like `/currency?digits=1.200000000-200000000` will crash the entire Node.js process.
Protection from this CVE
- Update Angular to one of the patched versions (22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23).
- Validate and sanitize any user‑supplied `digitsInfo` string before passing it to formatting functions; reject values where `minFractionDigits` or `maxFractionDigits` exceed a safe threshold (e.g., 20).
- Use a Web Application Firewall (WAF) to block requests containing suspicious `digitsInfo` patterns (e.g.,
"\\d+\\.\\d+\\-\\d{6,}").
Impact
- Complete denial of service for both server‑side and client‑side applications.
- SSR applications: Node.js process crashes, taking the whole website offline.
- CSR applications: The browser tab freezes permanently, forcing the user to kill the tab.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
