CVE-2026-50171 Overview
CVE-2026-50171 is a Denial of Service (DoS) vulnerability in the @angular/common package of Angular, a development platform for building mobile and desktop web applications using TypeScript/JavaScript. The flaw resides in the formatNumber function, which is also used by DecimalPipe, PercentPipe, and CurrencyPipe. The function does not validate the upper bounds of the digitsInfo parameter, allowing an attacker to trigger an unbounded loop via a crafted input. Maintainers fixed the issue in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. The weakness is categorized as [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
A maliciously crafted digitsInfo string such as 1.200000000-200000000 triggers an unbounded loop in the internal roundNumber function, exhausting CPU and memory and rendering affected Angular applications unresponsive.
Affected Products
- Angular @angular/common versions prior to 19.2.23
- Angular @angular/common versions prior to 20.3.22 and 21.2.15
- Angular @angular/common versions prior to 22.0.0-rc.2
Discovery Timeline
- 2026-06-22 - CVE-2026-50171 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-50171
Vulnerability Analysis
The vulnerability affects the number formatting logic in @angular/common. The formatNumber function accepts a digitsInfo string of the form minIntegerDigits.minFractionDigits-maxFractionDigits (for example, 1.2-4). Angular parses these values into integers and passes them directly to the internal roundNumber routine without enforcing reasonable upper bounds.
When roundNumber pads the digits array to match the requested fraction size, it executes a loop that pushes elements until the array reaches the requested length. Supplying an extreme value such as 200000000 forces the loop to iterate hundreds of millions of times. The result is sustained CPU consumption and excessive memory allocation in the Node.js or browser runtime hosting the Angular application.
Because DecimalPipe, PercentPipe, and CurrencyPipe all delegate to formatNumber, any template binding that allows user-controlled digitsInfo input transitively inherits the flaw. Server-side rendering (SSR) deployments are particularly exposed because the loop blocks the Node event loop, denying service to all concurrent users.
Root Cause
The root cause is missing input validation on the maxFractionDigits value parsed from digitsInfo. The implementation trusts the parsed integer and uses it as a loop bound, an instance of [CWE-400] Uncontrolled Resource Consumption.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker supplies a malicious digitsInfo value through any application surface that forwards user input to a number pipe — for example, query parameters, form fields, or API responses bound to a template using {{ value | number:userInput }}. The vulnerability does not yield code execution or data disclosure; impact is limited to availability.
No verified public exploit code is available. Reproduction is straightforward by invoking formatNumber(1, 'en-US', '1.200000000-200000000') against an unpatched build. See the GitHub Security Advisory GHSA-p3vc-36g9-x9gr for technical details.
Detection Methods for CVE-2026-50171
Indicators of Compromise
- HTTP requests containing digitsInfo-like parameters with abnormally large fraction-digit values such as 1.200000000-200000000.
- Sustained 100% CPU usage on Angular SSR workers or browser tabs immediately following a request containing crafted pipe input.
- Application logs showing single-request response times exceeding several seconds for endpoints that render DecimalPipe, PercentPipe, or CurrencyPipe output.
Detection Strategies
- Inspect Angular template source for pipes that accept user-controlled digitsInfo arguments, such as value | number:userField.
- Inventory @angular/common package versions across repositories and build artifacts and flag versions below the fixed releases.
- Add Web Application Firewall (WAF) rules matching request parameters that resemble digitsInfo patterns with fraction digits greater than a sane limit (for example, 20).
Monitoring Recommendations
- Alert on Node.js event loop lag or unusually long synchronous task durations on SSR servers.
- Monitor process memory growth and per-request CPU time for endpoints that emit formatted numbers.
- Track outbound dependency manifests (package.json, package-lock.json) in CI to surface unpatched @angular/common versions before release.
How to Mitigate CVE-2026-50171
Immediate Actions Required
- Upgrade @angular/common to 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 depending on the major version in use.
- Audit application code to ensure digitsInfo arguments passed to DecimalPipe, PercentPipe, and CurrencyPipe are never sourced from untrusted input.
- Deploy WAF or reverse-proxy rules that reject request parameters matching the vulnerable digitsInfo pattern with excessive fraction digits.
Patch Information
The Angular team fixed CVE-2026-50171 in @angular/common versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. Refer to the GitHub Security Advisory GHSA-p3vc-36g9-x9gr for the official fix and release notes.
Workarounds
- Validate and constrain any user-supplied digitsInfo value server-side before binding it to an Angular number pipe; reject values where fraction digits exceed a small constant such as 20.
- Replace dynamic digitsInfo arguments with hardcoded format strings in templates until the upgrade is deployed.
- Apply rate limiting and request timeouts on SSR endpoints to limit the blast radius of a single abusive request.
# Configuration example
npm install @angular/common@21.2.15
# or for other supported branches:
# npm install @angular/common@19.2.23
# npm install @angular/common@20.3.22
# npm install @angular/common@22.0.0-rc.2
npm ls @angular/common
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

