CVE-2026-50171
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A Denial of Service (DoS) vulnerability (CVE-2026-50171) has been identified in Angular’s @angular/common package, which fails to bound the fraction-digit values parsed from the digitsInfo parameter and can lead to resource exhaustion that crashes the server or freezes the browser.
Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.
This issue affects multiple versions of Angular.
Details
Module Info
- Product: Angular
- Affected packages: @angular/common
- Affected versions:
- <=18.2.14
- >=19.0.0-next.0 <19.2.23
- >=20.0.0-next.0 <20.3.22
- >=21.0.0-next.0 <21.2.15
- >=22.0.0-next.0 <22.0.0-rc.2
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/common
- Package manager: npm
- Fixed in:
- OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2
Vulnerability Info
This High-severity vulnerability is found in the @angular/common package in multiple published versions of Angular.
Angular's formatNumber function, which also backs the DecimalPipe, PercentPipe, and CurrencyPipe, does not validate the upper bound of the digitsInfo parameter. The minimum and maximum fraction digits parsed from a digitsInfo string such as 1.2-4 are converted to integers and used without any limit.
When a maliciously crafted digitsInfo string supplies excessively large fraction digit values such as 1.200000000-200000000, the internal roundNumber function attempts to pad the digit array to the requested fraction size. This produces an unbounded loop that repeatedly pushes elements into an array until the available memory is exhausted.
This vulnerability affects any Angular application that formats numbers through formatNumber or the DecimalPipe, PercentPipe, or CurrencyPipe when the digitsInfo parameter is controlled by untrusted input such as query parameters, user preferences, or API responses. Successful exploitation triggers resource exhaustion, which can lead to:
- Server-side denial of service: In applications using server-side rendering, the Node.js process crashes with a JavaScript heap out of memory error, taking the application offline for all users.
- Client-side denial of service: In client-side applications, the unbounded loop blocks the main thread and freezes the user's browser tab, making it unresponsive.
Mitigation
Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a patched version of Angular.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
