Angular up to 18.2.14/19.2.22/20.3.21/21.2.14 formatNumber digitsInfo resource consumption

Summaryinfo

A vulnerability was found in Angular up to 18.2.14/19.2.22/20.3.21/21.2.14. It has been rated as problematic. Affected by this vulnerability is the function formatNumber. This manipulation of the argument digitsInfo causes resource consumption. This vulnerability is tracked as CVE-2026-50171. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in Angular up to 18.2.14/19.2.22/20.3.21/21.2.14 and classified as problematic. Affected by this vulnerability is the function formatNumber. The manipulation of the argument digitsInfo with an unknown input leads to a resource consumption vulnerability. The CWE definition for the vulnerability is CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. As an impact it is known to affect availability. The summary by CVE is:

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-50171 since 06/03/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

Upgrading to version 19.2.23, 20.3.22, 21.2.15 or 22.0.0-rc.2 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• JavaScript Library

Name

• Angular

Version

• 18.2.0
• 18.2.1
• 18.2.2
• 18.2.3
• 18.2.4
• 18.2.5
• 18.2.6
• 18.2.7
• 18.2.8
• 18.2.9
• 18.2.10
• 18.2.11
• 18.2.12
• 18.2.13
• 18.2.14
• 19.2.0
• 19.2.1
• 19.2.2
• 19.2.3
• 19.2.4
• 19.2.5
• 19.2.6
• 19.2.7
• 19.2.8
• 19.2.9
• 19.2.10
• 19.2.11
• 19.2.12
• 19.2.13
• 19.2.14
• 19.2.15
• 19.2.16
• 19.2.17
• 19.2.18
• 19.2.19
• 19.2.20
• 19.2.21
• 19.2.22
• 20.3.0
• 20.3.1
• 20.3.2
• 20.3.3
• 20.3.4
• 20.3.5
• 20.3.6
• 20.3.7
• 20.3.8
• 20.3.9
• 20.3.10
• 20.3.11
• 20.3.12
• 20.3.13
• 20.3.14
• 20.3.15
• 20.3.16
• 20.3.17
• 20.3.18
• 20.3.19
• 20.3.20
• 20.3.21
• 21.2.0
• 21.2.1
• 21.2.2
• 21.2.3
• 21.2.4
• 21.2.5
• 21.2.6
• 21.2.7
• 21.2.8
• 21.2.9
• 21.2.10
• 21.2.11
• 21.2.12
• 21.2.13
• 21.2.14

Website

• Product: https://github.com/angular/angular/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion