CVE-2022-25844 in Angular
Summary
by MITRE • 05/01/2022
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2022-25844 affects the Angular JavaScript framework, specifically versions 1.7.0 and higher, presenting a critical Regular Expression Denial of Service (ReDoS) flaw. This vulnerability stems from the framework's handling of custom locale rules within its internationalization capabilities, particularly when processing number formatting patterns. The issue manifests when malicious input is provided through the NUMBER_FORMATS.PATTERNS[1].posPre parameter, allowing attackers to craft specially formatted strings that trigger exponential backtracking in regular expressions used for number parsing and formatting operations.
The technical exploitation of this vulnerability occurs through the manipulation of locale configuration data, specifically targeting the position of positive prefix formatting rules within the NUMBER_FORMATS structure. When Angular processes these custom locale rules, it employs regular expressions to parse and validate number format patterns, but these patterns are susceptible to catastrophic backtracking when confronted with carefully crafted input containing repeated characters. The vulnerability is particularly dangerous because it allows an attacker to specify extremely high repetition values in the posPre parameter, causing the regular expression engine to consume excessive computational resources and potentially leading to complete service unavailability.
This ReDoS vulnerability has significant operational impact on applications using affected Angular versions, as it can be exploited through user input or external data sources that are processed through the framework's internationalization components. The attack surface extends beyond simple form inputs to include any application component that processes external number formatting data or allows user-defined locale configurations. Organizations relying on deprecated Angular versions face heightened risk since the framework is no longer maintained, meaning no security patches or updates are available to address this vulnerability. The exploitation requires minimal technical skill and can result in complete denial of service for affected applications, making it a critical concern for enterprise environments where application availability is paramount.
The vulnerability aligns with CWE-400, which specifically addresses Regular Expression Denial of Service, and maps to ATT&CK technique T1499.004 for network denial of service attacks. Security practitioners should immediately transition away from using deprecated Angular versions and implement input validation measures to prevent malicious locale data from reaching the framework's number formatting components. Organizations should also consider implementing rate limiting and resource monitoring to detect potential exploitation attempts. The recommended mitigation strategy involves upgrading to supported Angular versions, removing or sanitizing user-provided locale configurations, and implementing proper input validation at all application boundaries to prevent malicious data from reaching vulnerable parsing functions. Additionally, organizations should conduct comprehensive security assessments of their Angular applications to identify all potential attack vectors related to internationalization and number formatting components.