CVE-2024-21490HIGHCVSS 7.5

CVE-2024-21490

Published Feb 10, 2024·Updated Jun 29, 2026

Description

This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Public Exploits & PoCs1 found

[POC] CVE-2024-21490 — roninforge-angularjs-migration

AngularJS 1.x -> Angular 18 migration guidance for GitHub Copilot. Source-of-truth repo for github/awesome-copilot/instructions/angularjs-to-angular-18.instructions.md. 62 LLM regressions across 3 modes. AngularJS EOL since Dec 31 2021; CVE-2024-21490 unpatched.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Start monitoring free