Impact
A malformed date format string supplied to expression loop that allocates memory without bounds. The resulting high CPU usage and excessive memory allocation can crash or hang an Angular application, denying service. This is a classic resource exhaustion flaw identified as CWE-1333, CWE-400, and CWE-1284.
Affected Systems
Angular applications prior to 22.0.1, 21.2.17, or 20.3.25 are affected. The vulnerability is present in the standard DatePipe as well. Any web front‑end built with these Angular.
Risk and Exploitability
The risk is moderate to high: the CVSS score is 8.2 and the exploitability is straightforward—any attacker can send an overly long format string to the client side and trigger the loop. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. As the DoS occurs client‑side, it can be triggered from any network channel that can reach the application’s front‑end.
OpenCVE Enrichment
Github GHSA