Skip to main content

Angular Common CVE-2026-54268

| EUVDEUVD-2026-38273 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-15 https://github.com/angular/angular GHSA-48r7-hpm6-gfxm
8.2
CVSS 4.0 · Vendor: https://github.com/angular/angular
Share

Severity by source

Vendor (https://github.com/angular/angular) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable SSR endpoint, no authentication or user interaction, low complexity once a user-controlled format sink exists; availability-only impact via OOM, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/angular/angular).

CVSS VectorVendor: https://github.com/angular/angular

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 16:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 16:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 16:52 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 16:52 NVD
8.2 (HIGH)
Source Code Evidence Fetched
Jun 15, 2026 - 17:53 vuln.today
Analysis Generated
Jun 15, 2026 - 17:53 vuln.today

DescriptionCVE.org

A Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter.

When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).

Impact

1. Server-Side Rendering (SSR)

In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a JavaScript heap out of memory crash, rendering the application unavailable to all users.

2. Client-Side Rendering (CSR)

In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.

Patched Versions

  • 22.0.1
  • 21.2.17
  • 20.3.25

Attack Preconditions

For this vulnerability to be exploitable, both of the following conditions must be met:

  1. Vulnerable Component Usage: The application must format dates using the formatDate utility or the DatePipe.
  2. Attacker-Controlled Parameter: The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses).

*If the date format is hardcoded (e.g., 'mediumDate', 'shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.*

AnalysisAI

Denial of service in @angular/common's formatDate function (and the DatePipe that wraps it) allows remote attackers to exhaust CPU and memory by supplying an excessively long, attacker-controlled date format string. On Server-Side Rendered Angular apps this triggers a JavaScript heap out-of-memory crash that takes down the application for all users; on Client-Side Rendered apps it freezes the victim's browser tab. No public exploit identified at time of analysis, but the upstream patch and regression tests are public in angular/angular#69197.

Technical ContextAI

The flaw lives in packages/common/src/i18n/format_date.ts within the @angular/common npm package. The internal date-format parser iteratively splits the supplied format string with a regular expression in a loop, so input size drives parser work non-linearly and triggers uncontrolled resource consumption - the CWE-400 root cause. The fix introduces a MAX_DATE_FORMAT_LENGTH constant of 256 and an assertValidDateFormatLength guard that throws a RuntimeError (NG02300 SUSPICIOUS_DATE_FORMAT) before parsing begins. Affected CPEs are pkg:npm/@angular_common across the 19.x, 20.x, 21.x and 22.x release lines.

RemediationAI

Vendor-released patches are available - upgrade @angular/common to 22.0.1, 21.2.17, or 20.3.25 depending on which release line is in use, per GHSA-48r7-hpm6-gfxm. Applications still on Angular 19.x or earlier have no upstream fix and should plan a major-version upgrade; in the interim, the most effective compensating control is to ensure no untrusted input ever reaches the format argument of formatDate or DatePipe - either hardcode format tokens (e.g. 'mediumDate', 'shortTime') or validate length to under 256 characters before passing user-supplied values, mirroring the upstream MAX_DATE_FORMAT_LENGTH guard. For SSR deployments, additionally enforce request size and timeout limits at the reverse proxy and consider Node.js worker process recycling so a single OOM does not take down all concurrent users; the trade-off of strict length validation is that legitimate custom long format strings will be rejected, which is acceptable since real format strings are short.

Share

CVE-2026-54268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy