Login Sign Up

CVE-2024-21490

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE describes a regular expression denial of service (ReDoS) vulnerability in AngularJS versions 1.3.0 and above. Attackers can cause denial of service by providing specially crafted input to the ng-srcset directive that triggers catastrophic backtracking. This affects all applications using vulnerable AngularJS versions, particularly those accepting user-controlled input in ng-srcset attributes.

💻 Affected Systems

Products:
  • AngularJS
Versions: 1.3.0 and above
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects AngularJS (angular), not Angular (@angular/core). The package is end-of-life and won't receive official patches.

📦 What is this software?

Angular.js by Angularjs

View all CVEs affecting Angular.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion from ReDoS, potentially affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance or temporary unavailability for users accessing pages with malicious ng-srcset payloads.

🟢

If Mitigated

Minimal impact if input validation prevents malicious payloads or if application load is distributed across multiple instances.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available at provided StackBlitz link. Exploitation requires ability to control ng-srcset attribute content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

Migrate to @angular/core as AngularJS is end-of-life. No official patch exists for AngularJS.

🔧 Temporary Workarounds

Input Validation for ng-srcset

all

Implement strict input validation/sanitization for any user-controlled data used in ng-srcset attributes to prevent malicious payloads.

Rate Limiting

all

Implement rate limiting and request throttling to mitigate impact of denial of service attempts.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to detect and block ReDoS patterns in ng-srcset input
  • Monitor CPU usage and implement automatic scaling/restart mechanisms for application instances under attack

🔍 How to Verify

Check if Vulnerable:

Check package.json or bower.json for angular dependency version 1.3.0 or higher

Check Version:

npm list angular or check bower_components/angular/package.json

Verify Fix Applied:

Verify migration to @angular/core or implementation of input validation workarounds

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage
  • Request timeouts on pages with ng-srcset
  • Repeated requests with similar ng-srcset patterns

Network Indicators:

  • High volume of requests to pages containing ng-srcset attributes
  • Requests with unusually long ng-srcset parameter values

SIEM Query:

source=application_logs AND ("ng-srcset" OR "angular") AND (cpu_usage>90 OR response_time>5000)

📊 Metadata

CVE ID: CVE-2024-21490
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: February 10, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21490, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)