Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remotely reachable when digitsInfo is user-controlled, no auth or interaction needed in that path; impact is availability-only via OOM/main-thread block, hence C:N/I:N/A:H.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits.
When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.
Impact
Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):
- Server-Side Rendering (SSR): In applications using SSR (e.g.,
@angular/ssr), an attacker can crash the Node.js server process due to aJavaScript heap out of memoryerror. This affects the availability of the application for all users. - Client-Side Rendering (CSR): In standard client-side applications, the unbounded loop will block the main thread, freezing the user's browser tab and making it unresponsive.
Attack Preconditions
For this vulnerability to be exploitable, the following conditions must be met:
- Vulnerable Component Usage: The application must use Angular's number formatting utilities, such as the
formatNumberfunction directly, or via template pipes (DecimalPipe,PercentPipe,CurrencyPipe). - Attacker-Controlled Parameter: The
digitsInfoparameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). IfdigitsInfois trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.
Patches
- 22.0.0-rc.2
- 21.2.15
- 20.3.22
- 19.2.23
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
AnalysisAI
Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.
Technical ContextAI
The flaw sits in Angular's i18n number formatting path (packages/common/src/i18n/format_number.ts). The digitsInfo grammar 'minInt.minFraction-maxFraction' is parsed via parseInt with no upper bound, then passed into the internal roundNumber routine, which pads a digits array element-by-element until it reaches the requested fraction width. With maxFraction set to hundreds of millions, the padding loop allocates an unbounded array - a classic CWE-400 uncontrolled resource consumption issue. The fix introduces a MAX_ALLOWED_DIGITS = 100 guard that throws RuntimeErrorCode.INVALID_DIGIT_INFO when minInt, minFraction, or maxFraction exceed the cap. The affected package is identified by CPE pkg:npm/@angular/common and reaches end users via the DecimalPipe/PercentPipe/CurrencyPipe template pipes as well as direct formatNumber calls.
RemediationAI
Vendor-released patch: upgrade @angular/common to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 depending on your release train (see https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr and PR https://github.com/angular/angular/pull/68840). The patch caps minInt/minFraction/maxFraction at 100 and throws on excess. For the 18.x line, which has no upstream fix, the only safe option is to migrate to a supported major or apply the PR #68840 diff via a fork/patch overlay (e.g., npm overrides or patch-package); compensating controls include validating any user-supplied digitsInfo against a strict allowlist regex such as ^\d{1,2}\.\d{1,2}-\d{1,2}$ before passing it to formatNumber/pipes, or refactoring templates so format specifiers are constants. Trade-off: an allowlist may reject otherwise legitimate locale-specific formats, and a forked patch carries ongoing maintenance cost until upgrade.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38298
GHSA-p3vc-36g9-x9gr