CVE-2023-26116 : Versions of the package angular from 1.2.21 are vulnerable to Regular Expression

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Published 2023-03-30 05:15:07

Updated 2025-02-14 16:15:33

Source Snyk

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-26116

Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Angularjs » Angular » For Node.js
Versions from including (>=) 1.2.21 and up to, including, (<=) 1.8.3
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-26116

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-26116

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2023-26116

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
- report@snyk.io (Secondary)

References for CVE-2023-26116

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/

[SECURITY] Fedora 39 Update: icecat-115.3.1-7.rh2.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320

Regular Expression Denial of Service (ReDoS) in org.webjars.bower:angular | CVE-2023-26116 | Snyk
Exploit;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321

Regular Expression Denial of Service (ReDoS) in org.webjars.npm:angular | CVE-2023-26116 | Snyk
Exploit;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

Regular Expression Denial of Service (ReDoS) in angular | CVE-2023-26116 | Snyk
Exploit;Third Party Advisory
https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos

AngularJS vulnerability: `angular.copy()` ReDoS - StackBlitz
Exploit;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322

Regular Expression Denial of Service (ReDoS) in org.webjars.bowergithub.angular:angular | CVE-2023-26116 | Snyk
Exploit;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/

[SECURITY] Fedora 38 Update: icecat-115.3.1-7.rh2.fc38 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-26116

Products affected by CVE-2023-26116

Exploit prediction scoring system (EPSS) score for CVE-2023-26116

CVSS scores for CVE-2023-26116

CWE ids for CVE-2023-26116

References for CVE-2023-26116