CVE-2023-26116 – This vulnerability in Angular's angular.copy() ... (How to Fix)

Q: What is the severity of CVE-2023-26116?

CVE-2023-26116 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Angular's angular.copy() function allows attackers to cause Denial of Service (DoS) through Regular Expression Denial of Service (ReDoS). By providing specially crafted input, attackers can trigger catastrophic backtracking that consumes excessive CPU resources. This affects Angular versions 1.2.21 and later.

📋 TL;DR

This vulnerability in Angular's angular.copy() function allows attackers to cause Denial of Service (DoS) through Regular Expression Denial of Service (ReDoS). By providing specially crafted input, attackers can trigger catastrophic backtracking that consumes excessive CPU resources. This affects Angular versions 1.2.21 and later.

💻 Affected Systems

Products:

AngularJS
Applications using AngularJS
Web applications with AngularJS dependencies

Versions: AngularJS versions 1.2.21 and later

Operating Systems: All operating systems running affected AngularJS versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using angular.copy() with untrusted input is vulnerable. The vulnerability is in the core AngularJS library.

📦 What is this software?

Angularjs by Angularjs

View all CVEs affecting Angularjs →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application until the process is restarted.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting specific endpoints or users that trigger the vulnerable function.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious patterns.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific input patterns to trigger ReDoS. No public exploit code has been identified, but the vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AngularJS 1.8.3 or later

Vendor Advisory: https://github.com/angular/angular.js/security/advisories/GHSA-5q2v-9m7v-8gvj

Restart Required: Yes

Instructions:

1. Update AngularJS dependency to version 1.8.3 or later. 2. Update package.json or equivalent dependency file. 3. Run npm update or equivalent package manager command. 4. Restart the application server. 5. Test application functionality.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for data passed to angular.copy() function

Rate Limiting

all

Implement rate limiting on endpoints that use angular.copy() with user input

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to detect and block patterns that could trigger ReDoS
Monitor CPU usage and implement alerting for abnormal spikes that could indicate exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or equivalent for AngularJS version. If version is between 1.2.21 and 1.8.2, the system is vulnerable.

Check Version:

npm list angular or check package.json for "angular" version

Verify Fix Applied:

Verify AngularJS version is 1.8.3 or later. Test angular.copy() function with various inputs to ensure normal performance.

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage spikes
Increased response times for endpoints using angular.copy()
Process restarts due to resource exhaustion

Network Indicators:

Unusually large payloads sent to endpoints using angular.copy()
Repeated requests with similar patterns to the same endpoint

SIEM Query:

source="application_logs" AND (message="high cpu" OR message="timeout") AND process="node" OR source="web_server" AND response_time>5000

📊 Metadata

CVE ID: CVE-2023-26116

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-1333

Published: March 30, 2023

Last Updated: November 20, 2025

🔗 References

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 Exploit,Third Party Advisory
https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 Exploit,Third Party Advisory
https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26116, you might also want to check these: