CVE-2026-54268
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A Denial of Service (DoS) vulnerability (CVE-2026-54268) has been identified in the @angular/common package where the formatDate function does not properly limit or validate the length of the format parameter.
Per OWASP, this vulnerability falls under Denial of Service (DoS). A DoS vulnerability exists when an application can be forced to consume excessive resources, such as CPU, memory, disk space, or network bandwidth, resulting in degraded performance or loss of availability for legitimate users. In this case, an attacker may supply crafted input or trigger resource-intensive operations that cause the affected application to become unresponsive, crash, or otherwise fail to provide its intended services.
This issue affects multiple versions of Angular.
Details
Module Info
- Product: Angular
- Affected packages: @angular/common
- Affected versions:
- >= 22.0.0-next.0 < 22.0.1
- >= 21.0.0-next.0 < 21.2.17
- >= 20.0.0-next.0 < 20.3.25
- <= 19.2.25
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/common
- Package manager: npm
- Fixed in:
- OSS Angular v22.0.1, v21.2.17, v20.3.25
Vulnerability Info
This High-severity vulnerability is found in the @angular/common package in multiple published versions of Angular.
The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter.
When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).
Mitigation
Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a patched version of Angular.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.