CVE-2023-26118
Description
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AngularJS 1.4.9 and later are vulnerable to ReDoS via the element due to an insecure regex.
Vulnerability
CVE-2023-26118 is a Regular Expression Denial of Service (ReDoS) vulnerability in AngularJS (package angular) affecting versions from 1.4.9 onward. The flaw resides in the input[url] directive, which uses an insecure regular expression to validate URL inputs. When processing a large, carefully-crafted input, the regex engine can enter catastrophic backtracking, consuming excessive CPU time [1][4].
Exploitation
An attacker can exploit this vulnerability by submitting a specially constructed, lengthy URL string to any form field bound to `` in an AngularJS application. No authentication is required if the application allows unauthenticated users to submit such input. The attack is performed entirely via normal HTTP requests, requiring no special network position [1][3].
Impact
Successful exploitation causes the application to become unresponsive due to high CPU consumption, effectively resulting in a denial of service (DoS) for legitimate users. The attack does not lead to data exfiltration or code execution, but it can severely degrade or halt service availability [3][4].
Mitigation
AngularJS reached end of life in January 2022 and no patches will be issued [2]. Users are strongly advised to migrate to the actively supported Angular framework (angular.io). For those who cannot migrate, input throttling or alternative URL validation mechanisms may reduce risk, but the underlying vulnerable code remains. Debian has released a notification for their LTS distribution [1], indicating that the vulnerability is widely recognized.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | <= 1.8.3 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-qwqh-hm9m-p5hrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26118ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55KghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327ghsaWEB
- security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046ghsaWEB
- stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redosghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/mitre
News mentions
0No linked articles in our index yet.