CVE-2024-21490

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.

Weakness

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Affected Software

Extended Description

	  Attackers can create crafted inputs that
	  intentionally cause the regular expression to use
	  excessive backtracking in a way that causes the CPU
	  consumption to spike.

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/492.html

References

• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
• https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
• https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
• https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
• https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
• https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
• https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS