GHSA-p3vc-36g9-x9gr
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
Details
A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of Angular. The `formatNumber` function, which is also utilized by `DecimalPipe`, `PercentPipe`, and `CurrencyPipe`, does not properly validate the upper bounds of the `digitsInfo` parameter. Specifically, the minimum and maximum fraction digits parsed from the `digitsInfo` string (e.g., `1.2-4`) are converted to integers and used without limits.
When parsing a maliciously crafted `digitsInfo` string with excessively large fraction digit values (e.g., `1.200000000-200000000`), the internal `roundNumber` function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.
### Impact
Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):
* **Server-Side Rendering (SSR):** In applications using SSR (e.g., `@angular/ssr`), an attacker can crash the Node.js server process due to a `JavaScript heap out of memory` error. This affects the availability of the application for all users. * **Client-Side Rendering (CSR):** In standard client-side applications, the unbounded loop will block the main thread, freezing the user's browser tab and making it unresponsive.
### Attack Preconditions
For this vulnerability to be exploitable, the following conditions must be met:
1. **Vulnerable Component Usage:** The application must use Angular's number formatting utilities, such as the `formatNumber` function directly, or via template pipes (`DecimalPipe`, `PercentPipe`, `CurrencyPipe`). 2. **Attacker-Controlled Parameter:** The `digitsInfo` parameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). If `digitsInfo` is trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.
### Patches - 22.0.0-rc.2 - 21.2.15 - 20.3.22 - 19.2.23
### Credits This vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).
Are you affected?
Enter the version of the package you're using.
Affected packages
22.0.0-next.0 Fixed in: 22.0.0-rc.2 npm install @angular/common@22.0.0-rc.2 20.0.0-next.0 Fixed in: 20.3.22 npm install @angular/common@20.3.22 19.0.0-next.0 Fixed in: 19.2.23 npm install @angular/common@19.2.23 0 No fixed version published yet for @angular/common (npm). Pin to a known-safe version or switch to an alternative.
21.0.0-next.0 Fixed in: 21.2.15 npm install @angular/common@21.2.15