CVE-2025-4690
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
AngularJS is a JavaScript framework for developing dynamic web applications. It lets you use HTML as your template language and lets you extend HTML's syntax to express your application's components clearly and succinctly. Its ngSanitize module provides functionality to sanitize HTML code.
A Regular expression Denial of Service (ReDoS) vulnerability (CVE-2025-4690) has been identified in AngularJS' ngSanitize module, which allows attackers to cause a denial of service of the application.
Per OWASP: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.
This issue affects all versions of AngularJS.
Details
Module Info
- Product: AngularJS
- Affected packages: angular-sanitize
- Affected versions: >=0.0.0
- GitHub repository: https://github.com/angular/angular.js
- Published packages: https://www.npmjs.com/package/angular-sanitize
- Package manager: npm
- Fixed in: AngularJS NES v1.9.10 and v1.5.26
Vulnerability Info
This Medium-severity vulnerability is found in the angular-sanitize package in all versions of AngularJS.
The linky filter, which is provided by the angular-sanitize package, is used for finding links in an input text and turning them into sanitized HTML links (using the $sanitize service under the hood). The logic for finding links in text is powered by a Regular Expression.
Due to an implementation bug, the Regular Expression has a super-linear runtime relative to the input size. With a long, specially-crafted input, an attacker could cause a denial of service of the application, monopolizing browser resources or completely crash the application.
Steps To Reproduce
- Create an AngularJS application that uses the ngSanitize module. For example:
angular.module('app', ['ngSanitize']);
- Use the linky filter in an HTML template with an input text that contains a user-provided value. For example:
<span>{{ textWithUserProvidedValue | linky }}</span>
- Alternatively, use the linky filter programmatically. For example:
angular
.module('app')
.run(['linkyFilter', linkyFilter => {
linkyFilter(textWithUserProvidedValue);
}])
// Or...
.run(['$filter', $filter => {
$filter('linky')(textWithUserProvidedValue);
}]);
Proof Of Concept
A full reproduction with code similar to the above can be found here:
Mitigation
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications away from AngularJS.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- George Kalpakas from HeroDevs (finder)
