CVE-2023-26116 Overview
CVE-2023-26116 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting AngularJS versions from 1.2.21. The vulnerability exists in the angular.copy() utility function due to the usage of an insecure regular expression pattern. Attackers can exploit this flaw by providing carefully-crafted large input strings, which can result in catastrophic backtracking and cause the application to become unresponsive.
Critical Impact
Exploitation of this vulnerability can cause denial of service conditions in web applications using the vulnerable angular.copy() function, potentially leading to application unavailability and degraded user experience.
Affected Products
- AngularJS versions 1.2.21 and later
- Fedora 38 (bundled AngularJS packages)
- WebJars packages containing vulnerable AngularJS versions
Discovery Timeline
- March 30, 2023 - CVE-2023-26116 published to NVD
- November 20, 2025 - Last updated in NVD database
Technical Details for CVE-2023-26116
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity). The angular.copy() function in AngularJS utilizes a regular expression that is susceptible to catastrophic backtracking when processing maliciously crafted input. ReDoS vulnerabilities occur when a regular expression's evaluation time grows exponentially with input size, allowing an attacker to consume excessive CPU resources with relatively small but specifically structured payloads.
The attack is network-accessible and requires no authentication or user interaction, making it particularly concerning for publicly facing web applications. While the vulnerability does not impact confidentiality or integrity, it can effectively render the application unavailable to legitimate users.
Root Cause
The root cause of this vulnerability lies in the inefficient regular expression pattern used within the angular.copy() utility function. The regex contains patterns that create multiple possible matching paths, leading to exponential time complexity when the regex engine attempts to match against carefully constructed input strings. This is a common issue in JavaScript applications where regex patterns with nested quantifiers or overlapping alternatives are used without proper optimization.
Attack Vector
The attack vector is network-based, allowing remote attackers to target vulnerable applications over the internet. An attacker can craft a malicious payload containing strings specifically designed to trigger the worst-case behavior of the vulnerable regular expression. When the angular.copy() function processes this input, the regex engine enters a state of catastrophic backtracking, consuming CPU cycles and potentially blocking the JavaScript event loop.
The exploitation does not require any privileges or authentication, and no user interaction is needed. The attacker simply needs to deliver the malicious input to any application endpoint that passes user-controlled data through the angular.copy() function. A proof-of-concept demonstrating this vulnerability is available on StackBlitz.
Detection Methods for CVE-2023-26116
Indicators of Compromise
- Abnormally high CPU utilization on web application servers without corresponding increase in legitimate traffic
- Application response time degradation or timeouts when processing specific input patterns
- Browser or Node.js processes becoming unresponsive during AngularJS operations
- Repeated requests containing unusually long or repetitive string patterns targeting application endpoints
Detection Strategies
- Implement application performance monitoring (APM) to detect unusual CPU spikes correlated with specific request patterns
- Deploy Web Application Firewall (WAF) rules to identify and block requests containing known ReDoS payload patterns
- Use static code analysis tools to scan for usage of angular.copy() with untrusted user input
- Monitor JavaScript execution times and set alerting thresholds for abnormal function execution durations
Monitoring Recommendations
- Configure real-time alerting for sustained CPU utilization above baseline thresholds on frontend and API servers
- Implement request timeout mechanisms to terminate long-running operations that may indicate ReDoS exploitation
- Review application logs for patterns of failed or timed-out requests that could indicate exploitation attempts
- Use browser developer tools or server-side profiling to identify performance bottlenecks in AngularJS applications
How to Mitigate CVE-2023-26116
Immediate Actions Required
- Audit all applications using AngularJS to identify instances where angular.copy() processes user-controlled input
- Implement input validation and length restrictions on data passed to the angular.copy() function
- Consider migrating from AngularJS (which reached end-of-life in December 2021) to a modern, actively maintained framework such as Angular
- Apply available patches from Linux distribution repositories (Fedora, Debian) if using packaged AngularJS versions
Patch Information
Fedora and Debian have released security advisories addressing this vulnerability in their packaged versions of AngularJS. Refer to the Fedora Package Announcements and Debian LTS Security Announcement for specific patch versions and installation instructions.
For applications using npm or WebJars packages, consult the Snyk Vulnerability Reports for detailed remediation guidance and affected package versions.
Workarounds
- Implement server-side input validation to restrict the length and character patterns of data before it reaches AngularJS functions
- Add request timeout mechanisms at the load balancer or reverse proxy level to prevent long-running requests from consuming resources
- Use rate limiting to reduce the impact of repeated exploitation attempts from a single source
- Consider wrapping angular.copy() calls with try-catch blocks and execution time limits where direct patching is not feasible
# Example: Check AngularJS version in your project
grep -r "angular" package.json package-lock.json | grep version
# Example: Update Fedora packages
sudo dnf update angularjs
# Example: Check for vulnerable dependencies using npm
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
