Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed date format string supplied to the @angular/common formatDate function causes a regular‑expression loop that allocates memory without bounds. The resulting high CPU usage and excessive memory allocation can crash or hang an Angular application, denying service. This is a classic resource exhaustion flaw identified as CWE‑1333 and CWE‑400.

Affected Systems

Angular applications using @angular/common prior to versions 22.0.1, 21.2.17, or 20.3.25 are affected. The vulnerability is present in the standard DatePipe as well. Any web front‑end built with these Angular releases that accepts user‑supplied format strings is potentially vulnerable.

Risk and Exploitability

The risk is moderate to high: the CVSS score is 8.2 and the exploitability is straightforward—any attacker can send an overly long format string to the client side and trigger the loop. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. As the DoS occurs client‑side, it can be triggered from any network channel that can reach the application’s front‑end.

Generated by OpenCVE AI on June 22, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to 22.0.1, 21.2.17, or 20.3.25 – the versions that contain the fix for formatDate
  • If an upgrade cannot be performed immediately, implement size limits on format strings fed to DatePipe or formatDate, ensuring the string length does not exceed a safe threshold
  • Apply monitoring or rate limiting to detect and mitigate abnormal CPU usage spikes that may indicate an ongoing DoS attempt

Generated by OpenCVE AI on June 22, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-48r7-hpm6-gfxm @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:31:47.836Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54268

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption