CVE-2025-4690
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2025-08-20

Assigner: HeroDevs

Description
A regular expression used by AngularJS'  linky https://docs.angularjs.org/api/ngSanitize/filter/linky  filter to detect URLs in input text is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can cause a Regular expression Denial of Service (ReDoS) https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS  attack on the application. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2025-08-20
Generated
2026-05-06
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-4690
EUVD
EUVD-2025-25177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angular angularjs *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-4690 is a Regular Expression Denial of Service (ReDoS) vulnerability in AngularJS's angular-sanitize module, specifically in the linky filter that detects URLs in input text. The vulnerability arises because the regular expression used for URL detection has a flaw causing super-linear (exponential) runtime when processing specially crafted large inputs. An attacker can exploit this by providing such input, causing the application to consume excessive processing time and resources, potentially hanging or crashing it. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to cause a denial of service on your AngularJS application. By submitting a carefully crafted input string, the attacker can trigger excessive processing in the vulnerable regular expression, leading to high CPU usage, application hangs, or crashes. This disrupts the availability of your application to legitimate users. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the AngularJS application using the ngSanitize module's linky filter with specially crafted long input strings that trigger the super-linear regex processing. A proof-of-concept demonstrating the ReDoS attack is publicly available, which can be used to reproduce and detect the issue. Specific commands are not provided, but detection involves inputting crafted data into the application to observe excessive processing or hanging behavior. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include migrating away from AngularJS since it is End-of-Life and no longer maintained, or obtaining commercial support such as HeroDevs' Never-Ending Support (NES) versions of AngularJS (v1.9.10 or v1.5.26) which include fixes for this vulnerability. Applying these patched versions or moving to a maintained framework are the recommended actions to prevent exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart