CVE-2026-54268

HIGH EPSS 24.9%

Published Jun 22, 20261w ago · Modified Jun 23, 20266d ago

8.2 CVSS 4.0

High

Published Jun 22, 2026 1w ago

Last Modified Jun 23, 2026 6d ago

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

CVSS Details

Base Score

8.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

24.9% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-1333

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

References 3

github.com https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd
github.com https://github.com/angular/angular/pull/69197
github.com https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.