High severityNVD Advisory· Published Feb 10, 2024· Updated Nov 3, 2025
CVE-2024-21490
CVE-2024-21490
Description
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
angularnpm | >= 1.3.0, <= 1.8.3 | — |
org.webjars.npm:angularMaven | >= 1.3.0, <= 1.8.3 | — |
org.webjars.bower:angularMaven | >= 1.3.0, <= 1.8.3 | — |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/solrpkg:apk/chainguard/solr-oci-compatpkg:apk/wolfi/solrpkg:apk/wolfi/solr-oci-compatpkg:maven/org.webjars.bower/angularpkg:maven/org.webjars.npm/angularpkg:npm/angular
< 9.8.1-r0+ 6 more
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: < 9.8.1-r0
- (no CPE)range: >= 1.3.0, <= 1.8.3
- (no CPE)range: >= 1.3.0, <= 1.8.3
- (no CPE)range: >= 1.3.0, <= 1.8.3
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-4w4v-5hc9-xrr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21490ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/07/msg00005.htmlghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747ghsaWEB
- security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113ghsaWEB
- stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redosghsaWEB
- support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoSghsaWEB
News mentions
0No linked articles in our index yet.