CVE-2022-25844 Overview
CVE-2022-25844 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting AngularJS versions 1.7.0 and higher. The vulnerability exists in the locale handling functionality, where a malicious custom locale rule can assign an extremely high value to the NUMBER_FORMATS.PATTERNS[1].posPre parameter using ' '.repeat(). This can cause catastrophic backtracking in regular expression processing, leading to application denial of service.
It is critical to note that AngularJS has been deprecated and is no longer maintained, making this vulnerability particularly concerning for legacy applications that have not migrated to modern Angular versions.
Critical Impact
Attackers can exploit this ReDoS vulnerability to cause application unavailability by providing specially crafted locale rules that exhaust server resources during number formatting operations.
Affected Products
- AngularJS versions 1.7.0 and higher
- Fedora 35 and Fedora 36 (bundled AngularJS packages)
- NetApp ONTAP Select Deploy Administration Utility
Discovery Timeline
- May 1, 2022 - CVE-2022-25844 published to NVD
- November 20, 2025 - Last updated in NVD database
Technical Details for CVE-2022-25844
Vulnerability Analysis
This ReDoS vulnerability stems from improper handling of user-supplied locale configuration in AngularJS's number formatting system. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity), indicating that the regular expression patterns used in the affected code can exhibit exponential time complexity when processing maliciously crafted input.
The attack is network-accessible and requires no authentication or user interaction, making it relatively straightforward to exploit. While this vulnerability does not compromise data confidentiality or integrity, it poses a significant availability risk by enabling attackers to consume excessive CPU resources and render applications unresponsive.
Root Cause
The root cause lies in AngularJS's number formatting functionality within the NUMBER_FORMATS.PATTERNS configuration. When processing custom locale rules, the framework allows arbitrary string values to be assigned to the posPre property of number patterns. By providing an extremely long string generated via ' '.repeat() with a very high value, an attacker can cause the regular expression engine to enter catastrophic backtracking, consuming excessive CPU cycles.
The deprecated status of AngularJS means no official patch will be released, leaving organizations dependent on community-maintained forks or requiring migration to modern Angular.
Attack Vector
The attack can be executed remotely over the network by providing a malicious custom locale configuration to an application using vulnerable AngularJS versions. The attacker crafts a locale rule that includes an extremely large string value for the posPre parameter in NUMBER_FORMATS.PATTERNS[1].
When the application processes this locale configuration and attempts to format numbers according to the malicious pattern, the underlying regular expression engine becomes trapped in exponential backtracking. This causes the JavaScript runtime to consume all available CPU resources, effectively freezing the application and denying service to legitimate users.
The vulnerability is particularly dangerous in server-side rendering scenarios or applications that allow users to customize localization settings.
Detection Methods for CVE-2022-25844
Indicators of Compromise
- Abnormally high CPU utilization on servers running AngularJS applications
- Application unresponsiveness or timeouts during number formatting operations
- Unusual requests containing large locale configuration payloads
- JavaScript execution timeouts or browser tab crashes in client-side applications
Detection Strategies
- Monitor server CPU usage patterns for sustained spikes correlated with specific AngularJS operations
- Implement request payload size limits to detect and block excessively large locale configurations
- Use application performance monitoring (APM) tools to identify slow regular expression execution
- Audit application logs for patterns indicating repeated number formatting failures
Monitoring Recommendations
- Deploy real-time CPU monitoring with alerts for abnormal processing patterns
- Implement web application firewall (WAF) rules to inspect and limit custom locale parameters
- Track response times for endpoints that utilize AngularJS number formatting
- Enable detailed logging for locale configuration changes and custom format applications
How to Mitigate CVE-2022-25844
Immediate Actions Required
- Conduct an inventory of all applications using AngularJS versions 1.7.0 and higher
- Restrict the ability for users to supply custom locale configurations where possible
- Implement input validation to limit the size of strings in locale rule parameters
- Prioritize migration planning from AngularJS to modern Angular frameworks
Patch Information
AngularJS has been officially deprecated and is no longer receiving security updates from the original maintainers. Organizations should treat this as a permanent vulnerability in the AngularJS codebase. Migration to Angular (versions 2+) or other modern JavaScript frameworks is the recommended long-term solution.
For reference, security advisories have been published by:
- Fedora Package Announcements for Fedora 35 and 36
- NetApp Security Advisory
- Snyk JavaScript Vulnerability Database
Workarounds
- Disable or restrict custom locale functionality in AngularJS applications to prevent malicious input
- Implement server-side validation to reject locale configurations with excessively long string values
- Set execution time limits for JavaScript operations to prevent indefinite hangs
- Consider using a reverse proxy or WAF to filter potentially malicious requests before they reach the application
# Example: Nginx rate limiting and request size restriction
# Add to your nginx.conf server block
# Limit request body size to prevent large payload attacks
client_max_body_size 1m;
# Rate limit for specific AngularJS endpoints
limit_req_zone $binary_remote_addr zone=angularjs_limit:10m rate=10r/s;
location /api/ {
limit_req zone=angularjs_limit burst=20 nodelay;
# Additional proxy settings
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
