VYPR
← All advisories
Moderate severityNVD Advisory· Published May 1, 2022· Updated Nov 3, 2025

Regular Expression Denial of Service (ReDoS)

CVE-2022-25844

Description

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. Note: 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AngularJS (angular package) from 1.7.0 onward is vulnerable to ReDoS via crafted locale rules, causing denial of service.

Vulnerability

The angular package (AngularJS) versions 1.7.0 and higher are vulnerable to Regular Expression Denial of Service (ReDoS) [1]. The vulnerability resides in the NUMBER_FORMATS.PATTERNS handling of custom locale rules. By providing a specially crafted locale object, an attacker can assign an extremely high value to posPre: ' '.repeat() in NUMBER_FORMATS.PATTERNS[1].posPre, which causes the regular expression engine to consume excessive CPU time [3][4]. The package has been deprecated and is no longer maintained [2].

Exploitation

An attacker needs the ability to supply a custom locale rule to an application using the vulnerable angular version. This can be achieved if the application accepts user-controlled locale configurations or if an attacker can inject locale data through other means. The attack does not require authentication or network proximity beyond the ability to deliver the crafted locale object to the application. The attacker provides a locale rule with a very large repetition count in posPre, triggering the ReDoS condition when the application processes number formatting [3][4].

Impact

Successful exploitation results in a Denial of Service (DoS) condition, causing the application to become unresponsive or hang due to excessive CPU consumption by the regular expression engine [1][3][4]. The confidentiality and integrity of data are not directly affected, but availability is severely impacted. No privilege escalation is achieved; the attacker merely prevents legitimate users from accessing the application.

Mitigation

AngularJS has reached end of life as of January 2022 and no patches for this vulnerability are available [2]. The package is deprecated and no longer maintained. Users should migrate to the actively supported Angular (v2+) framework [2]. As a workaround, applications can sanitize or reject any user-supplied locale rules that contain excessively large repetition values. The Debian LTS project has announced a fix as of July 2025 [1]. There is no indication that this CVE is listed in the KEV catalog.

References
  1. NVD - CVE-2022-25844
  2. GitHub - angular/angular.js: AngularJS - HTML enhanced for web apps!
  3. Snyk Vulnerability Database | Snyk
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
angularnpm
>= 1.7.0

Affected products

6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

16

News mentions

0

No linked articles in our index yet.