Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is located in Angular’s @angular/common package, specifically the internal formatNumber helper that is used by DecimalPipe, PercentPipe and CurrencyPipe. When a digitsInfo string specifies an extremely high number of fraction digits, the helper converts those values into integers and expands an internal digits array without any upper bound. This results in an unbounded loop that consumes a large amount of memory until the process crashes, causing a denial of service. The weakness is an input validation failure leading to uncontrolled resource consumption (CWE‑400, CWE‑834, CWE‑835).

Affected Systems

Applications that use Angular releases earlier than 22.0.0‑rc.2, 21.2.15, 20.3.22 or 19.2.23 and import the vulnerable @angular/common package are affected. Any UI component that formats numbers with DecimalPipe, PercentPipe or CurrencyPipe must verify that the installed version includes the fix.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is considered high severity. The EPSS score is 0.00161, which represents a very low but non‑zero probability of exploitation, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves an attacker supplying a malicious digitsInfo string through any user‑input interface that reaches the Angular formatter. The exploit requires no authentication or elevated privileges; the vulnerability operates solely on input validation failure. If such an input path exists, the DoS risk is immediate.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @angular/common to a version that includes the patch (Angular 22.0.0‑rc.2 or newer, or 21.2.15, 20.3.22, 19.2.23).
  • Add validation for digitsInfo values to enforce reasonable bounds on the fraction digit count (e.g., limit to a maximum of 20).
  • Implement application‑level resource limits or monitoring to detect abnormal memory usage and restart affected components if necessary.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p3vc-36g9-x9gr @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
Weaknesses CWE-400
CWE-834
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:02:07.902Z

Reserved: 2026-06-03T20:54:20.433Z

Link: CVE-2026-50171

cve-icon Vulnrichment

Updated: 2026-06-23T14:16:59.203Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:49:51Z

Links: CVE-2026-50171 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-834

    Excessive Iteration

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')