CVE-2024-21490
Description
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in AngularJS (angular) versions >=1.3.0 triggers catastrophic backtracking in ng-srcset's regex, leading to a denial of service.
CVE-2024-21490 affects the AngularJS package (angular) from version 1.3.0 onward. A regular expression used to parse the value of the ng-srcset directive is vulnerable to catastrophic backtracking, a type of ReDoS (Regular Expression Denial of Service). When the regex is applied to a carefully crafted large input, the matching time grows super-linearly, which can exhaust server resources or cause browser unresponsiveness. [1][3][4]
An attacker can exploit this by providing a malicious ng-srcset value—for example via a crafted URL, user input that populates a directive, or by injecting into an AngularJS template. No authentication is required if an application reflects unsanitized user data in an ng-srcset binding. The attack surface is client-side, but a server-side rendering environment could also be affected if it processes such templates. [1][4]
The impact is a Denial of Service: the browser or Node process may hang or become unresponsive while the regex engine backtracks, degrading user experience or taking down a server-side AngularJS rendering service. This vulnerability does not lead to remote code execution or data theft. [3][4]
AngularJS reached its end-of-life in January 2022, and the vendor will not release a patch for this issue. Users are advised to migrate to the actively supported @angular/core framework. The Debian LTS team has included a fix in angular.js package updates. [1][2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | >= 1.3.0, <= 1.8.3 | — |
org.webjars.npm:angularMaven | >= 1.3.0, <= 1.8.3 | — |
org.webjars.bower:angularMaven | >= 1.3.0, <= 1.8.3 | — |
Affected products
8- angular/angulardescription
- osv-coords7 versionspkg:apk/chainguard/solrpkg:apk/chainguard/solr-oci-compatpkg:apk/wolfi/solrpkg:apk/wolfi/solr-oci-compatpkg:maven/org.webjars.bower/angularpkg:maven/org.webjars.npm/angularpkg:npm/angular
< 9.8.1-r0+ 6 more
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: >= 1.3.0, <= 1.8.3
- (no CPE)range: >= 1.3.0, <= 1.8.3
- (no CPE)range: >= 1.3.0, <= 1.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-4w4v-5hc9-xrr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21490ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747ghsaWEB
- security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113ghsaWEB
- stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redosghsaWEB
- support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoSghsaWEB
News mentions
0No linked articles in our index yet.