CVE-2024-21490 Overview
CVE-2024-21490 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the AngularJS package from version 1.3.0 onwards. The vulnerability exists in a regular expression used to split the value of the ng-srcset directive, which is susceptible to super-linear runtime due to backtracking. When supplied with large, carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service condition, rendering affected applications unresponsive.
Critical Impact
This vulnerability can lead to application unavailability through CPU exhaustion. Notably, AngularJS is end-of-life (EOL) and will not receive any patches to address this issue. Organizations must migrate to @angular/core to remediate this vulnerability.
Affected Products
- AngularJS versions 1.3.0 and later
- WebJars Bower package (org.webjars.bower:angular)
- WebJars NPM package (org.webjars.npm:angular)
Discovery Timeline
- 2024-02-10 - CVE CVE-2024-21490 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-21490
Vulnerability Analysis
The vulnerability resides in the ng-srcset directive implementation within AngularJS. This directive is used for responsive image handling and accepts a comma-separated list of image URLs with width descriptors. The regular expression used to parse this input contains patterns that exhibit exponential time complexity when processing malicious input strings.
ReDoS vulnerabilities occur when regular expressions can be forced into computationally expensive backtracking states. In this case, an attacker can craft input that causes the regex engine to explore an exponentially growing number of possible matches before ultimately failing, consuming significant CPU resources during processing. This is classified under CWE-1333 (Inefficient Regular Expression Complexity).
The impact is availability-focused, as successful exploitation will cause the application to become unresponsive while the regex engine processes the malicious input. This affects any AngularJS application that uses the ng-srcset directive and processes user-controllable input.
Root Cause
The root cause is an inefficient regular expression pattern in the AngularJS source code that handles parsing of the ng-srcset directive values. The regex contains nested quantifiers or overlapping alternations that create multiple paths for the regex engine to explore, leading to exponential backtracking behavior when processing strings that nearly match but ultimately fail.
This is a common pattern in ReDoS vulnerabilities where regex patterns like (a+)+ or similar constructs with nested repetition operators cause the regex engine to try exponentially many combinations before concluding that no match exists.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by providing specially crafted input to an ng-srcset directive in any of the following ways:
- Injecting malicious values through user-controllable data that gets bound to ng-srcset
- Manipulating URL parameters or form inputs that are rendered in templates using the directive
- Exploiting any mechanism where external data influences the ng-srcset attribute value
The attack causes CPU exhaustion on the client-side (browser) or server-side if AngularJS is used in server-side rendering scenarios. A live demonstration of this vulnerability is available on StackBlitz for educational purposes.
Detection Methods for CVE-2024-21490
Indicators of Compromise
- High CPU utilization in browser processes when loading specific pages
- Application freezes or unresponsiveness during image loading operations
- Unusual spikes in client-side JavaScript execution time
- User complaints about browser tabs becoming unresponsive
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify AngularJS versions 1.3.0 or later in your codebase
- Monitor JavaScript error logs for regex timeout or execution exceeded warnings
- Use dependency scanning tools to flag EOL packages like AngularJS
- Audit templates for ng-srcset directive usage with user-controllable input
Monitoring Recommendations
- Deploy client-side performance monitoring to detect abnormal JavaScript execution times
- Implement Content Security Policy (CSP) headers to limit attack surface
- Monitor application performance metrics for sudden degradation patterns
- Use Real User Monitoring (RUM) to identify pages experiencing performance issues
How to Mitigate CVE-2024-21490
Immediate Actions Required
- Migrate from AngularJS to @angular/core as AngularJS is end-of-life and will not receive security patches
- Audit all usage of the ng-srcset directive in your application templates
- Implement input validation and sanitization for any user-controllable data bound to ng-srcset
- Consider removing or disabling the ng-srcset directive if not essential to application functionality
Patch Information
AngularJS has reached end-of-life status and the maintainers have explicitly stated that no updates will be provided to address this vulnerability. Organizations must migrate to the modern Angular framework (@angular/core) available on npm to receive ongoing security support.
For organizations unable to immediately migrate, HeroDevs provides extended support for legacy AngularJS applications.
Workarounds
- Implement server-side validation to reject potentially malicious ng-srcset values before they reach the client
- Use a web application firewall (WAF) to filter requests containing suspicious patterns
- Replace ng-srcset with custom directive implementations that use safer regex patterns
- Limit the maximum length of input that can be processed by the ng-srcset directive
# Example: Using npm to check for vulnerable AngularJS versions
npm ls angular
# Look for versions >= 1.3.0
# Example: Migrate to modern Angular
npm uninstall angular
npm install @angular/core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
