CVE-2023-26118 – This vulnerability allows attackers to cause De... (How to Fix)

Q: What is the severity of CVE-2023-26118?

CVE-2023-26118 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows attackers to cause Denial of Service (DoS) in Angular applications by submitting specially crafted URLs to input fields with type='url'. The attack exploits inefficient regular expression processing that can consume excessive CPU resources. Applications using Angular 1.4.9 or later with URL input fields are affected.

📋 TL;DR

This vulnerability allows attackers to cause Denial of Service (DoS) in Angular applications by submitting specially crafted URLs to input fields with type='url'. The attack exploits inefficient regular expression processing that can consume excessive CPU resources. Applications using Angular 1.4.9 or later with URL input fields are affected.

💻 Affected Systems

Products:

AngularJS
Applications using AngularJS

Versions: 1.4.9 and later versions

Operating Systems: All operating systems running affected Angular versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using <input type='url'> elements. Applications without URL input fields are not vulnerable.

📦 What is this software?

Angularjs by Angularjs

View all CVEs affecting Angularjs →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance or temporary unavailability of specific application components that process URL inputs.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH - Public-facing applications with URL input fields are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and can be performed via simple HTTP requests with crafted payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to AngularJS 1.8.3 or later

Vendor Advisory: https://github.com/angular/angular.js/security/advisories/GHSA-4g6j-7jwr-3qj9

Restart Required: Yes

Instructions:

1. Update AngularJS dependency to version 1.8.3 or later. 2. Update package.json or equivalent dependency file. 3. Run npm update or equivalent package manager command. 4. Restart the application server. 5. Test URL input functionality.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement server-side validation for URL inputs to reject malformed URLs before Angular processing

Rate Limiting

all

Implement rate limiting on URL input endpoints to prevent mass exploitation

🧯 If You Can't Patch

Disable or remove URL input fields from vulnerable applications
Implement Web Application Firewall (WAF) rules to block suspicious URL patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or equivalent for AngularJS version 1.4.9 or later, and verify application uses <input type='url'> elements

Check Version:

npm list angular or check package.json for 'angular' version

Verify Fix Applied:

Verify AngularJS version is 1.8.3 or later and test URL input functionality with various inputs

📡 Detection & Monitoring

Log Indicators:

Multiple failed URL validation attempts
Unusually long URL strings in requests
High CPU usage spikes on application servers

Network Indicators:

Repeated POST/GET requests with long URL parameters to input endpoints

SIEM Query:

source='application_logs' AND (message CONTAINS 'url' OR message CONTAINS 'input') AND (message CONTAINS 'timeout' OR message CONTAINS 'slow')

📊 Metadata

CVE ID: CVE-2023-26118

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-1333

Published: March 30, 2023

Last Updated: November 20, 2025

🔗 References

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328 Exploit
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046 Exploit,Third Party Advisory
https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328 Exploit
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327 Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046 Exploit,Third Party Advisory
https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26118, you might also want to check these: