Description
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Remediation
References
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos
https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
Related Vulnerabilities
CVE-2022-45935 Vulnerability in maven package org.apache.james:james-server-protocols-imap4
CVE-2021-35515 Vulnerability in maven package org.apache.commons:commons-compress
CVE-2022-38648 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge
CVE-2019-25103 Vulnerability in npm package simple-markdown
CVE-2020-26237 Vulnerability in maven package org.webjars.npm:highlight.js