CVE-2026-50171 in Angular
Summary
by MITRE • 06/22/2026
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability described represents a critical denial of service weakness in the angular common package that affects multiple version lines including 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. This issue stems from improper validation within the formatNumber function which serves as the foundation for DecimalPipe, PercentPipe, and CurrencyPipe components. The flaw specifically manifests when processing the digitsInfo parameter through the parsing of fraction digit specifications in strings like "1.2-4", where the minimum and maximum fraction digits are converted to integers without proper boundary checking. When attackers craft malicious inputs with excessively large fraction digit values such as "1.200000000-200000000", the internal roundNumber function enters an unbounded loop that continuously appends elements to an array, causing system resource exhaustion and application instability.
This vulnerability directly maps to CWE-770, which addresses allocation of resources without limits or with inadequate limits, and aligns with ATT&CK technique T1499.004 for network denial of service attacks through resource exhaustion. The attack vector exploits the lack of input sanitization in the digitsInfo parameter parsing mechanism, allowing malicious actors to craft specially formatted strings that trigger infinite loops within the application's processing logic. The impact extends beyond simple service disruption as it affects critical financial and data presentation components that rely on currency, percentage, and decimal formatting capabilities.
The operational consequences of this vulnerability are severe for applications utilizing angular frameworks across various domains including financial services, e-commerce platforms, and enterprise resource planning systems where precise numerical formatting is essential. Attackers can exploit this weakness by injecting malicious digitsInfo parameters through user inputs, API endpoints, or configuration files that process numerical data. The vulnerability affects not only the immediate application but can also propagate to underlying system resources causing cascading failures and potentially enabling more sophisticated attacks through resource exhaustion techniques.
Mitigation strategies should prioritize upgrading to fixed versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23 where proper input validation has been implemented. Organizations should also implement input sanitization measures at application boundaries, particularly for any user-provided numerical formatting parameters. Additional protective measures include implementing rate limiting on numerical formatting operations, monitoring for unusual processing patterns, and establishing proper error handling that prevents infinite loop scenarios from consuming system resources. Security teams should conduct comprehensive code reviews focusing on parameter validation in numerical formatting functions and ensure all third-party components are regularly updated to address known vulnerabilities.