CVE-2023-26117 Overview
CVE-2023-26117 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting AngularJS versions from 1.0.0 and above. The vulnerability exists within the $resource service due to the usage of an insecure regular expression pattern. When processing carefully-crafted input strings, the vulnerable regex can enter a state of catastrophic backtracking, causing the application to become unresponsive and consuming excessive CPU resources.
ReDoS attacks exploit inefficient regular expression patterns that exhibit exponential time complexity when processing certain input strings. In the context of AngularJS, this vulnerability can be leveraged by attackers to degrade application performance or cause complete denial of service by submitting malicious payloads to endpoints that utilize the affected $resource service.
Critical Impact
Applications using AngularJS's $resource service are vulnerable to denial of service attacks through crafted input that triggers catastrophic regex backtracking, potentially causing application unavailability.
Affected Products
- AngularJS versions from 1.0.0 and above
- Fedora 38 (bundled AngularJS packages)
- WebJars distributions of AngularJS (npm, bower, and bower-github variants)
Discovery Timeline
- 2023-03-30 - CVE-2023-26117 published to NVD
- 2025-11-20 - Last updated in NVD database
Technical Details for CVE-2023-26117
Vulnerability Analysis
The vulnerability stems from an insecure regular expression pattern used within AngularJS's $resource service. The $resource service is a factory that creates a resource object for interacting with RESTful server-side data sources. During URL processing and parameter handling, the service employs regex patterns that are susceptible to algorithmic complexity attacks.
When a regex pattern contains nested quantifiers or overlapping alternation groups, certain input strings can cause the regex engine to explore an exponentially growing number of possible matches before determining that no match exists. This phenomenon, known as catastrophic backtracking, results in CPU exhaustion and can render the application unresponsive.
The specific issue relates to how the $resource service handles trailing slashes in resource URLs. The vulnerable regex pattern allows attackers to construct input strings that maximize backtracking iterations, effectively weaponizing the regex evaluation process.
Root Cause
The root cause of CVE-2023-26117 is the use of a regular expression pattern with poor algorithmic complexity characteristics. The regex likely contains nested or overlapping quantifiers that create multiple paths for the regex engine to explore when attempting to match input strings. When combined with specially crafted input containing repeated character sequences, this results in exponential time complexity during pattern matching.
This is classified under CWE-1333 (Inefficient Regular Expression Complexity), which describes vulnerabilities where regex patterns exhibit super-linear worst-case computational complexity. The fundamental issue is a failure to implement regex patterns with bounded execution time regardless of input characteristics.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests containing malicious payloads to any application endpoint that processes input through the vulnerable $resource service.
The attack exploits the trailing slashes handling mechanism in the $resource service. By crafting input strings with specific patterns of characters and repetitions, an attacker forces the regex engine into catastrophic backtracking. A demonstration of this vulnerability is available through the StackBlitz AngularJS Vulnerability Resource.
The exploitation does not require complex setup—a single malicious request with a carefully constructed payload can trigger the denial of service condition. The attack can be sustained by sending repeated requests, preventing legitimate users from accessing the application.
Detection Methods for CVE-2023-26117
Indicators of Compromise
- Unusual CPU spikes correlated with incoming HTTP requests to AngularJS applications
- Extended response times or request timeouts on endpoints using $resource service
- Application server logs showing requests with abnormally long strings containing repetitive character patterns
- Memory and CPU resource exhaustion alerts on servers hosting AngularJS applications
Detection Strategies
- Monitor application performance metrics for sudden degradation in response times when processing specific request patterns
- Implement request payload analysis to detect strings with excessive length or repetitive character sequences targeting known ReDoS patterns
- Deploy Web Application Firewall (WAF) rules to identify and block requests containing potential ReDoS payloads
- Use runtime application self-protection (RASP) solutions to detect and terminate long-running regex evaluations
Monitoring Recommendations
- Enable detailed logging for the $resource service to capture request parameters and URL patterns
- Set up alerting thresholds for CPU utilization spikes on application servers
- Implement request timeout monitoring to detect endpoints experiencing unusual latency
- Deploy SentinelOne Singularity Platform for real-time detection of resource exhaustion attacks and anomalous application behavior
How to Mitigate CVE-2023-26117
Immediate Actions Required
- Audit all applications using AngularJS to identify usage of the $resource service
- Implement input validation and length limits on all user-supplied data that may be processed by $resource
- Deploy rate limiting on endpoints that utilize the affected service to reduce the impact of DoS attempts
- Consider migrating from AngularJS to Angular (Angular 2+), as AngularJS has reached end-of-life status
Patch Information
Organizations should consult the distribution-specific security advisories for patched versions:
- Fedora: Security updates have been released. See the Fedora Package Announcement for details.
- Debian: LTS users should review the Debian LTS Announcement.
- WebJars: Multiple distributions are affected including bower, bower-github, and npm variants. See the Snyk vulnerability database for specific package details: SNYK-JS-ANGULAR-3373045.
Note that AngularJS reached end-of-life on December 31, 2021, and no longer receives official security updates from the AngularJS team.
Workarounds
- Implement request payload size limits at the web server or load balancer level to prevent excessively long inputs from reaching the application
- Add timeout mechanisms for regex operations to prevent runaway processing
- Deploy a Web Application Firewall (WAF) with rules to detect and block ReDoS attack patterns
- Consider wrapping $resource service calls with input sanitization that strips or rejects potentially malicious character patterns
# Example nginx configuration to limit request body size
# Add to server or location block to mitigate large payload attacks
client_max_body_size 1m;
client_body_timeout 10s;
# Rate limiting configuration
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req zone=api_limit burst=20 nodelay;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
