CVE-2026-54268 Overview
CVE-2026-54268 is a Denial of Service (DoS) vulnerability in the @angular/common package of the Angular framework. The flaw resides in the formatDate function, which is also used by the standard Angular DatePipe. The function does not validate or limit the length of the format parameter. When the internal parser processes an excessively long or repeating format string through a regular expression splitting loop, the operation consumes uncontrolled CPU and memory resources. Maintainers fixed the issue in Angular versions 22.0.1, 21.2.17, and 20.3.25. The weakness is classified under CWE-400 (Uncontrolled Resource Consumption).
Critical Impact
A remote, unauthenticated attacker can trigger sustained CPU and memory exhaustion in Angular applications that pass user-controlled date format strings to formatDate or DatePipe, rendering the application unresponsive.
Affected Products
- Angular @angular/common versions prior to 20.3.25
- Angular @angular/common versions 21.0.0 through 21.2.16
- Angular @angular/common versions 22.0.0 (fixed in 22.0.1)
Discovery Timeline
- 2026-06-22 - CVE-2026-54268 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-54268
Vulnerability Analysis
The vulnerability resides in packages/common/src/i18n/format_date.ts. The formatDate function parses a caller-supplied format string using the DATE_FORMATS_SPLIT regular expression in an iterative loop. Each iteration peels off one token and recurses on the remaining substring. Without a length cap on the input, parsing time and intermediate string allocations scale with the size of the format string. Repeating patterns amplify backtracking-like behavior in the regular expression engine, producing pathological execution times.
Applications are exposed when they forward HTTP request parameters, URL fragments, query strings, or other untrusted input into formatDate, the date pipe, or any wrapper that calls them. A single request carrying a multi-megabyte format string can pin a Node.js worker thread or a browser tab, and concurrent requests can stall an entire server-side rendering (SSR) deployment.
Root Cause
The formatDate parser lacked a maximum bound on the format argument. The regex split loop processed arbitrarily large inputs, leading to quadratic-time string operations and unchecked memory growth. The fix introduces a MAX_DATE_FORMAT_LENGTH constant of 256 characters and rejects format strings exceeding that limit before parsing begins.
Attack Vector
The attack is network-reachable and requires no authentication or user interaction. An attacker submits a long, repeating format token sequence to any endpoint or component that reaches formatDate. Server-side Angular Universal applications are the highest-impact targets because the exhaustion affects shared backend resources.
// Source: https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd
// Patch in packages/common/src/i18n/format_date.ts
const NAMED_FORMATS: {[localeId: string]: {[format: string]: string}} = {};
const DATE_FORMATS_SPLIT =
/((?:[^BEGHLMOSWYZabcdhmswyz']+)|(?:'(?:[^']|'')*')|(?:G{1,5}|y{1,4}|Y{1,4}|M{1,5}|L{1,5}|w{1,2}|W{1}|d{1,2}|E{1,6}|c{1,6}|a{1,5}|b{1,5}|B{1,5}|h{1,2}|H{1,2}|m{1,2}|s{1,2}|S{1,3}|z{1,4}|Z{1,5}|O{1,4}))([\s\S]*)/;
+const MAX_DATE_FORMAT_LENGTH = 256;
const enum ZoneWidth {
Short,
The patch adds an upper bound that the parser enforces before entering the split loop. See the GitHub Security Advisory GHSA-48r7-hpm6-gfxm and the pull request discussion for the full review.
Detection Methods for CVE-2026-54268
Indicators of Compromise
- HTTP requests containing query parameters, form fields, or JSON values with date-format token strings longer than 256 characters.
- Repeating patterns of Angular format tokens (y, M, d, H, m, s, S) inside request bodies or URLs.
- Sustained 100% CPU utilization on Angular SSR Node.js processes correlated with specific inbound requests.
- Spikes in event-loop lag and garbage-collection pauses on Angular Universal servers.
Detection Strategies
- Inspect application logs and reverse-proxy access logs for unusually large parameter values that flow into formatDate or DatePipe.
- Add runtime telemetry around formatDate calls to record input length distribution and alert on outliers.
- Use a web application firewall (WAF) rule to block requests where any single parameter exceeds a reasonable size threshold.
Monitoring Recommendations
- Track CPU, memory, and request-duration percentiles for Angular SSR pods and trigger alerts when the 99th percentile diverges from baseline.
- Capture stack samples during latency spikes to confirm time spent inside format_date.ts.
- Maintain a software bill of materials (SBOM) and continuously scan deployed bundles for vulnerable @angular/common versions.
How to Mitigate CVE-2026-54268
Immediate Actions Required
- Upgrade @angular/common to 22.0.1, 21.2.17, or 20.3.25 depending on the major version in use.
- Audit application code for any path that passes untrusted input as the second argument to formatDate or as the format value of the date pipe.
- Cap inbound request body and parameter sizes at the reverse proxy or API gateway to limit amplification.
- Restart Angular Universal workers after deployment to clear any in-flight resource exhaustion.
Patch Information
The fix is committed in angular/angular@eeb03f4 and published in @angular/common versions 22.0.1, 21.2.17, and 20.3.25. The patch introduces MAX_DATE_FORMAT_LENGTH = 256 and rejects oversized format strings before parsing.
Workarounds
- Validate and truncate any user-supplied format string to 256 characters or fewer before invoking formatDate.
- Restrict acceptable format values to a server-side allowlist instead of accepting arbitrary input.
- Deploy WAF signatures that drop requests containing excessively long sequences of Angular date-format tokens.
# Upgrade @angular/common to a patched release
npm install @angular/common@22.0.1
# or, for the 21.x line
npm install @angular/common@21.2.17
# or, for the 20.x line
npm install @angular/common@20.3.25
# Verify installed version
npm ls @angular/common
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

