LiveActive security incident?Get immediate response
CVE Record

CVE-2024-21490: This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0.

This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2024-21490 is a denial-of-service issue in legacy AngularJS handling of ng-srcset. A specially large crafted value can make a regular expression consume excessive CPU, potentially making an affected application unavailable. The package is end-of-life, and the provided sources say it will not receive normal upstream updates.

Executive priority

Prioritize replacement or supported remediation for internet-facing legacy AngularJS applications. The issue affects availability rather than data theft, but EOL status increases operational risk because standard upstream fixes are not expected.

Technical view

The vulnerability is CWE-1333: inefficient regular expression complexity. Angular/angularjs packages from the 1.3.0 line are described as affected. The vulnerable regex is used to split ng-srcset directive values, allowing super-linear backtracking and availability impact. CVSS is 7.5 high, network reachable, low complexity, no privileges or user interaction required.

Likely exposure

Exposure is most likely in applications still shipping AngularJS or legacy angular packages, including Java WebJars and .NET angularjs package variants. Risk depends on whether untrusted or attacker-controlled content can reach ng-srcset processing.

Exploitation context

The bundle shows KEV is false, so active exploitation is not established here. CVSS indicates remote, unauthenticated denial-of-service potential, and the references include public vulnerability and demonstration material. Treat internet-facing legacy AngularJS surfaces as higher priority.

Researcher notes

Evidence supports ReDoS in ng-srcset parsing with availability impact. Do not assume all applications are exploitable; validate data flow into the directive. No KEV listing is provided, and no universal fixed version is identified in the bundle.

Mitigation direction

  • Inventory and remove legacy AngularJS/angular dependencies where possible.
  • Plan migration to @angular/core, as named in the advisory text.
  • Check HeroDevs and package ecosystem guidance for supported remediation options.
  • For Debian packages, review the Debian LTS advisory before deciding package actions.
  • Limit untrusted input paths that can influence ng-srcset values.

Validation and detection

  • Search dependency manifests for angular, angularjs, and WebJars Angular packages.
  • Identify runtime pages or templates using ng-srcset.
  • Confirm whether attacker-controlled data can populate ng-srcset values.
  • Check whether affected assets are exposed on public routes.
  • Record package source, version, and vendor guidance for each finding.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1333: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-21490 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P3.93.6snyk

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2024-21490Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/aangular1.3.0Listed
n/aorg.webjars.bower:angular1.3.0Listed
n/aorg.webjars.npm:angular1.3.0Listed
n/aangularjs1.3.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1333 · source CWE mapping

Inefficient Regular Expression Complexity

Inefficient Regular Expression Complexity represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.