Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable SSR endpoint, no authentication or user interaction, low complexity once a user-controlled format sink exists; availability-only impact via OOM, no confidentiality or integrity effect.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter.
When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).
Impact
1. Server-Side Rendering (SSR)
In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a JavaScript heap out of memory crash, rendering the application unavailable to all users.
2. Client-Side Rendering (CSR)
In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Attack Preconditions
For this vulnerability to be exploitable, both of the following conditions must be met:
- Vulnerable Component Usage: The application must format dates using the
formatDateutility or theDatePipe. - Attacker-Controlled Parameter: The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses).
*If the date format is hardcoded (e.g., 'mediumDate', 'shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.*
AnalysisAI
Denial of service in @angular/common's formatDate function (and the DatePipe that wraps it) allows remote attackers to exhaust CPU and memory by supplying an excessively long, attacker-controlled date format string. On Server-Side Rendered Angular apps this triggers a JavaScript heap out-of-memory crash that takes down the application for all users; on Client-Side Rendered apps it freezes the victim's browser tab. No public exploit identified at time of analysis, but the upstream patch and regression tests are public in angular/angular#69197.
Technical ContextAI
The flaw lives in packages/common/src/i18n/format_date.ts within the @angular/common npm package. The internal date-format parser iteratively splits the supplied format string with a regular expression in a loop, so input size drives parser work non-linearly and triggers uncontrolled resource consumption - the CWE-400 root cause. The fix introduces a MAX_DATE_FORMAT_LENGTH constant of 256 and an assertValidDateFormatLength guard that throws a RuntimeError (NG02300 SUSPICIOUS_DATE_FORMAT) before parsing begins. Affected CPEs are pkg:npm/@angular_common across the 19.x, 20.x, 21.x and 22.x release lines.
RemediationAI
Vendor-released patches are available - upgrade @angular/common to 22.0.1, 21.2.17, or 20.3.25 depending on which release line is in use, per GHSA-48r7-hpm6-gfxm. Applications still on Angular 19.x or earlier have no upstream fix and should plan a major-version upgrade; in the interim, the most effective compensating control is to ensure no untrusted input ever reaches the format argument of formatDate or DatePipe - either hardcode format tokens (e.g. 'mediumDate', 'shortTime') or validate length to under 256 characters before passing user-supplied values, mirroring the upstream MAX_DATE_FORMAT_LENGTH guard. For SSR deployments, additionally enforce request size and timeout limits at the reverse proxy and consider Node.js worker process recycling so a single OOM does not take down all concurrent users; the trade-off of strict length validation is that legitimate custom long format strings will be rejected, which is acceptable since real format strings are short.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38273
GHSA-48r7-hpm6-gfxm