VulWall Team February 18, 2026 5 min read

Outdated AngularJS Library Can Be Used to Slow Down Your Website

Your website uses an outdated version of AngularJS (a JavaScript library) that contains a flaw in one of its built-in tools. An attacker could send a specially crafted request that causes your server or browser to get stuck doing unnecessary work, potentially slowing down or temporarily making your site unavailable to real users. Think of it like a prank caller who knows exactly what to say to put your receptionist on hold indefinitely.

OWASP A06 Effort: small Exploitable
redos angularjs denial-of-service regex frontend javascript cve end-of-life-library

Business Impact And Actions

medium urgency

Business Impact

The risk here is availability — your site could become slow or unresponsive during an attack. There is no risk of data theft or account compromise from this specific issue. For most small SaaS businesses, the practical impact is limited: the attack requires deliberate targeting, and the slowdown is typically temporary. That said, if your application is public-facing and processes user-submitted data, it's worth addressing to maintain a reliable experience for your customers.

What To Do

  1. Ask your developer to check which version of AngularJS your site uses and upgrade it — this is typically a straightforward dependency update.
  2. If upgrading AngularJS isn't immediately possible (e.g., it would break other parts of the site), ask your developer to add input size limits on any forms or fields that accept free-text data.
  3. Note that AngularJS 1.x is no longer officially maintained by Google — consider asking your developer about a longer-term plan to migrate to a supported framework.

AngularJS <= 1.8.3 ReDoS via angular.copy() Insecure Regex (CVE-2023-26116)

medium severity CVSS 5.3

Vulnerability Explanation

The angular.copy() utility function in AngularJS uses an internally crafted regular expression that is susceptible to catastrophic backtracking. When the regex engine processes a specially crafted large input string, it enters an exponential number of backtracking steps attempting to find a match, consuming excessive CPU time. Because the attack vector is network-accessible and requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), any endpoint that passes user-controlled data through angular.copy() — directly or indirectly — is a potential trigger point. The impact is limited to availability (A:L); confidentiality and integrity are unaffected.

Root Cause

The root cause is the use of an insufficiently constrained regular expression inside angular.copy() that contains ambiguous or nested quantifiers. These patterns allow the regex engine to explore an exponentially growing number of possible match paths when given adversarial input, a class of bug known as ReDoS (Regular Expression Denial of Service, CWE-1333). AngularJS 1.x reached end-of-life in December 2021 and no official upstream patch exists for the 1.8.x branch.

Technical Impact

An unauthenticated remote attacker can send a crafted payload to any application endpoint that feeds user input into angular.copy(), causing the JavaScript engine to spin at high CPU for an extended period. In a browser context this freezes the tab; in a server-side rendering or Node.js context it can block the event loop, degrading or denying service to other users. No data exfiltration or privilege escalation is possible via this vulnerability alone.

Severity Justification

CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Network-reachable with no privileges required, but impact is limited to low availability degradation with no confidentiality or integrity impact. Not listed in CISA KEV; EPSS ~0.47%.

Affected Components

  • angular (npm) 1.2.21 – 1.8.3

Remediation Steps

  1. Update the angular npm package to a patched version. The fix is available in AngularJS XLTS/NES release 1.9.1 (or 1.5.17 for older branches via HeroDevs Never-Ending Support). In your package.json, change the angular version constraint and run your package manager: `npm install angular@1.9.1` (if using the XLTS distribution).
  2. If you load AngularJS from a CDN or as a vendored file, replace the file with the patched build and update any integrity hashes (SRI) accordingly.
  3. If an immediate upgrade is not feasible, add server-side input length validation on all endpoints whose data may flow into angular.copy(). Reject or truncate payloads above a reasonable size threshold before they reach the client.
  4. Audit your codebase for direct calls to angular.copy() that accept unsanitised user input and add explicit input length guards at those call sites as a short-term mitigation.
  5. Given that AngularJS 1.x is end-of-life, create a backlog item to migrate to a supported framework (Angular 17+, React, Vue, etc.) to avoid accumulating further unpatched CVEs.

Verification Steps

  1. After upgrading, run `npm list angular` (or check your lock file) and confirm the installed version is 1.9.1 or later.
  2. If loading from a CDN, inspect the page source or Network tab in browser DevTools and confirm the script URL references the patched version number.
  3. Run your existing test suite to confirm no regressions were introduced by the version bump.
  4. Optionally, use the public StackBlitz proof-of-concept (https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos) against a staging environment before and after patching to confirm the fix is effective.

Code Examples (bash)

Vulnerable
# package.json (vulnerable)
"dependencies": {
  "angular": "^1.8.3"
}
Fixed
# Upgrade to patched XLTS release
npm install angular@1.9.1

# Confirm installed version
npm list angular
# └── angular@1.9.1

Best Practices

  • Always validate and limit the length of user-supplied input server-side before it reaches any client-side processing logic.
  • Pin frontend dependency versions in your lock file and run automated dependency scanning (e.g., npm audit, Snyk, Dependabot) in CI to catch newly published CVEs early.
  • Avoid using end-of-life JavaScript libraries in production; schedule migration work before EOL dates, not after CVEs accumulate.
  • When evaluating regex patterns in your own code, use a tool like safe-regex or vuln-regex-detector to identify catastrophic backtracking risks before deployment.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base