CVE-2023-26116
Description
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AngularJS versions >=1.2.21 are vulnerable to ReDoS via angular.copy() due to insecure regex, allowing denial of service via crafted input.
Vulnerability
The angular.copy() utility function in AngularJS versions 1.2.21 and later contains an insecure regular expression that is susceptible to catastrophic backtracking [4]. This Regular Expression Denial of Service (ReDoS) vulnerability allows an attacker to cause excessive CPU consumption by providing a large, carefully crafted input to the function.
Exploitation
Exploitation is possible by passing a specially crafted string to angular.copy() in any context where user input is accepted. Since the vulnerability lies in a core utility, it can be triggered both in client-side browsers and in server-side Node.js environments using the angular package. No authentication is required if the function is exposed to untrusted data [4].
Impact
Successful exploitation leads to denial of service, causing the application to hang or become unresponsive. This can disrupt service availability for legitimate users. AngularJS support officially ended in January 2022 [2], and no patch for this vulnerability has been released. Users are strongly advised to migrate to actively supported frameworks such as Angular (2+).
Mitigation
As AngularJS is end-of-life, the only effective mitigation is to upgrade to a supported framework. Debian LTS may provide backported fixes [1], but the vendor recommends migrating away from AngularJS [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | <= 1.8.3 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-2vrf-hf26-jrp5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26116ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55KghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321ghsaWEB
- security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044ghsaWEB
- stackblitz.com/edit/angularjs-vulnerability-angular-copy-redosghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/mitre
News mentions
0No linked articles in our index yet.