Impact
The flaw is located in Angular’s @angular/common package, specifically the internal formatNumber helper that is used by DecimalPipe, PercentPipe and CurrencyPipe. When a digitsInfo string specifies an extremely high number of fraction digits, the helper converts those values into integers and expands an internal digits array without any upper bound. This results in an unbounded loop that consumes a large amount of memory until the process crashes, causing a denial of service. The weakness is an input validation failure leading to uncontrolled resource consumption (CWE‑400, CWE‑834, CWE‑835).
Affected Systems
Applications that use Angular releases earlier than 22.0.0‑rc.2, 21.2.15, 20.3.22 or 19.2.23 and import the vulnerable @angular/common package are affected. Any UI component that formats numbers with DecimalPipe, PercentPipe or CurrencyPipe must verify that the installed version includes the fix.
Risk and Exploitability
With a CVSS score of 8.2, the vulnerability is considered high severity. The EPSS score is 0.00161, which represents a very low but non‑zero probability of exploitation, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves an attacker supplying a malicious digitsInfo string through any user‑input interface that reaches the Angular formatter. The exploit requires no authentication or elevated privileges; the vulnerability operates solely on input validation failure. If such an input path exists, the DoS risk is immediate.
OpenCVE Enrichment
Github GHSA