CVE-2023-26117: angular vulnerable to regular expression denial of service via the $resource service

March 30, 2023 (updated April 4, 2024)

All versions of the package angular is vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References

github.com/advisories/GHSA-2qqx-w9hr-q5gx
nvd.nist.gov/vuln/detail/CVE-2023-26117
security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos

Detect and mitigate CVE-2023-26117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →