Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed date format string supplied to expression loop that allocates memory without bounds. The resulting high CPU usage and excessive memory allocation can crash or hang an Angular application, denying service. This is a classic resource exhaustion flaw identified as CWE-1333, CWE-400, and CWE-1284.

Affected Systems

Angular applications prior to 22.0.1, 21.2.17, or 20.3.25 are affected. The vulnerability is present in the standard DatePipe as well. Any web front‑end built with these Angular.

Risk and Exploitability

The risk is moderate to high: the CVSS score is 8.2 and the exploitability is straightforward—any attacker can send an overly long format string to the client side and trigger the loop. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. As the DoS occurs client‑side, it can be triggered from any network channel that can reach the application’s front‑end.

Generated by OpenCVE AI on July 12, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to 22.0.1, 21.2.17, or 20.3.25 – the versions that contain the fix for formatDate
  • If an upgrade cannot be performed immediately, implement size limits on format strings fed to DatePipe or formatDate, ensuring the string length does not exceed a safe threshold
  • Apply monitoring or rate limiting to detect and mitigate abnormal CPU usage spikes that may indicate an ongoing DoS attempt

Generated by OpenCVE AI on July 12, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-48r7-hpm6-gfxm @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
History

Thu, 09 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:09:21.239Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54268

cve-icon Vulnrichment

Updated: 2026-06-23T16:07:31.436Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:31:47Z

Links: CVE-2026-54268 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T11:15:16Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption