VulWall Team February 18, 2026 5 min read

AngularJS Vulnerability Can Make Your Web App Freeze or Crash for Users

Your website uses AngularJS, a web framework that reached its official end of life in December 2021 — meaning it no longer receives security fixes from its creators. A newly discovered flaw in AngularJS allows anyone to send a specially crafted piece of text to your app that causes it to freeze or become unresponsive, effectively locking out real users. Because AngularJS is no longer maintained, there is no official patch available.

OWASP A06 Effort: large Exploitable
redos angularjs denial-of-service end-of-life regex frontend ngsanitize linky cve-2025-4690 eol-dependency

Business Impact And Actions

medium urgency

Business Impact

If your app uses AngularJS's link-detection feature on user-submitted text (for example, in comment boxes, message fields, or any form where users type free text), a malicious user could deliberately trigger this flaw to make your app slow to a crawl or crash entirely. This means real customers could be locked out of your service during an attack, which can affect revenue, customer trust, and — depending on your industry — compliance obligations around availability. Beyond this specific flaw, running end-of-life software is increasingly flagged in security audits and by cyber insurance providers.

What To Do

  1. Ask your developer to check whether your app uses the AngularJS 'linky' filter on any user-submitted text fields — if it does, that's where the risk is highest and they should prioritise removing or replacing it.
  2. Start planning a migration away from AngularJS to a modern, actively maintained framework (such as Angular, React, or Vue). This is the only permanent fix, as no official security patches will ever be released for AngularJS.
  3. If a full migration isn't possible right now, ask your developer to add server-side input length limits on any text fields that feed into AngularJS — this reduces the ability to exploit the flaw.
  4. If you need more time to migrate, consider a commercial extended support provider for AngularJS as a temporary bridge while you plan the upgrade.

AngularJS ngSanitize linky Filter ReDoS via Catastrophic Backtracking (CVE-2025-4690)

medium severity

Vulnerability Explanation

The `linky` filter in AngularJS's `angular-sanitize` (ngSanitize) package uses a regular expression to detect URLs in user-supplied text. Due to an implementation bug, this regex exhibits super-linear (potentially exponential) runtime relative to input size when processing specially crafted strings. An attacker who can supply input to any template or code path that applies the `linky` filter — e.g., `{{ userInput | linky }}` — can trigger catastrophic backtracking in the JavaScript regex engine, monopolising the browser's main thread or crashing the application entirely. The attack requires no authentication beyond the ability to submit text to the affected field.

Root Cause

The regex in `linky.js` (lines ~131 and ~155) uses nested quantifiers or ambiguous alternation patterns that allow the regex engine to explore an exponential number of matching paths when the input is crafted to avoid a match. This is a classic ReDoS pattern: the engine backtracks exhaustively before concluding no match exists, consuming unbounded CPU time proportional to input length.

Technical Impact

Denial of service of the client-side application: the browser tab becomes unresponsive or crashes. In server-side rendering (SSR) scenarios using AngularJS, the Node.js process could be blocked, causing a full server-side denial of service. An unauthenticated attacker with access to any text input field that feeds the `linky` filter can trigger this condition.

Severity Justification

CVSS Medium (estimated 5.3–6.5). Impact is limited to availability (DoS); no data exfiltration or code execution is possible. Exploitability requires the `linky` filter to be applied to attacker-controlled input, which is a common but not universal pattern. AngularJS's EOL status means no official fix will be released, increasing long-term risk exposure.

Affected Components

  • angular-sanitize (ngSanitize) — all versions of AngularJS (1.x)

Remediation Steps

  1. Identify all usages of the `linky` filter in your templates and JavaScript code by searching for `| linky` in templates and `linkyFilter` or `$filter('linky')` in JS files.
  2. If the `linky` filter is applied to user-controlled input, remove it or replace it with a safe, purpose-built URL-detection library that does not use vulnerable regex patterns (e.g., linkifyjs).
  3. Add server-side and/or client-side input length validation to cap the maximum length of text processed by any AngularJS filter. This limits the worst-case backtracking time even if the vulnerable filter remains in place temporarily.
  4. Plan and execute a migration away from AngularJS to a supported framework (modern Angular, React, or Vue). AngularJS reached end of life on December 31, 2021, and will receive no further security patches from Google or the community.
  5. If migration is not immediately feasible, evaluate commercial extended support options (e.g., HeroDevs NES or TuxCare ELS for AngularJS) which provide backported security patches for EOL AngularJS versions.

Verification Steps

  1. Search the codebase for all occurrences of `| linky` in HTML templates and `linkyFilter` / `$filter('linky')` in JavaScript to confirm scope of exposure.
  2. For any identified usage, test with a long crafted input (e.g., a string of 50,000+ repeated characters designed to avoid URL matching) and observe whether the browser tab freezes — if it does, the vulnerability is confirmed.
  3. After applying input length limits, re-run the same test and confirm the app remains responsive.
  4. After migration to a supported framework, verify that `angular-sanitize` / `angular.js` packages are no longer present in the production bundle using your build tool's dependency output or a tool like `npm ls angular`.

Best Practices

  • Never apply regex-based filters to unbounded user input without first enforcing a maximum input length at the server side.
  • Treat any end-of-life dependency as a security liability — schedule migrations before vulnerabilities accumulate.
  • Audit all AngularJS filter usages (`linky`, `$sanitize`, etc.) for attacker-controlled data paths as part of any security review.
  • Use a dependency inventory tool (e.g., `npm audit`, Snyk, or Dependabot) to surface EOL and vulnerable packages continuously.

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base