CVE-2023-26117
Description
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AngularJS $resource service is vulnerable to ReDoS via an insecure regex, enabling denial of service with crafted input.
Vulnerability
CVE-2023-26117 is a Regular Expression Denial of Service (ReDoS) vulnerability in the AngularJS $resource service, affecting all versions from 1.0.0 [1]. The root cause is the use of an insecure regular expression for URL parsing, which can cause catastrophic backtracking when processing a specially crafted input [3].
Exploitation
An attacker can exploit this vulnerability by submitting a large, carefully-crafted string to an application that uses AngularJS's $resource service [1]. No authentication is required if the service is exposed to user input; the attacker only needs to provide the malicious input via a parameter processed by $resource [3].
Impact
Successful exploitation results in a ReDoS condition, making the application unresponsive or crashing it, thus denying service to legitimate users [1]. The attacker does not gain access to data but can effectively disable the service.
Mitigation
AngularJS has ended official support as of January 2022, and no patch will be released [2]. Users should migrate to the actively supported Angular (version 2+) or apply workarounds such as input sanitization and validation [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | <= 1.8.3 | — |
Affected products
1- Range: v1.0.0, v1.0.1, v1.1.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-2qqx-w9hr-q5gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26117ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55KghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324ghsaWEB
- security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045ghsaWEB
- stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redosghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/mitre
News mentions
0No linked articles in our index yet.