CVE-2026-50171
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Angular Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-50171
EUVD
EUVD-2026-38298
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
angular common to 22.0.0-rc.2 (exc)
angular common 21.2.15
angular common 20.3.22
angular common 19.2.23
angular angular to 19.2.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the @angular/common package of Angular, specifically in the formatNumber function and related pipes like DecimalPipe, PercentPipe, and CurrencyPipe.

The problem occurs because the digitsInfo parameter, which controls number formatting, does not properly validate the upper bounds of the minimum and maximum fraction digits. When a maliciously crafted digitsInfo string with excessively large fraction digit values is used, the internal roundNumber function enters an unbounded loop that repeatedly pushes elements into an array.

This unbounded loop leads to uncontrolled resource consumption, potentially crashing Node.js servers in Server-Side Rendering (SSR) environments or freezing browser tabs in Client-Side Rendering (CSR) scenarios.

Impact Analysis

Exploitation of this vulnerability can cause Denial of Service by exhausting system resources.

  • In Server-Side Rendering (SSR) environments, it can crash Node.js servers due to JavaScript heap out-of-memory errors.
  • In Client-Side Rendering (CSR) scenarios, it can freeze browser tabs by blocking the main thread.

The vulnerability requires that the application uses Angular's number formatting utilities with attacker-controlled or customizable digitsInfo parameters.

Detection Guidance

This vulnerability occurs when the Angular @angular/common package's formatNumber function or related pipes (DecimalPipe, PercentPipe, CurrencyPipe) process a digitsInfo parameter with excessively large fraction digit values, leading to unbounded loops and resource exhaustion.

To detect this vulnerability on your system, you should first identify if your application uses vulnerable versions of Angular prior to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.

You can check the Angular version used in your project by running the following command in your project directory:

  • npm list @angular/common

To detect if the vulnerable function is being exploited or triggered, monitor your application logs and system resource usage for symptoms such as Node.js server crashes due to heap out-of-memory errors or browser freezes.

There are no specific commands provided to detect malicious digitsInfo parameter usage directly, but you can audit your codebase for usage of formatNumber or the related pipes with user-controllable digitsInfo inputs.

Mitigation Strategies

The primary mitigation step is to upgrade the @angular/common package to a fixed version where this vulnerability is resolved.

  • Upgrade to Angular versions 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 or later.

If immediate upgrade is not possible, ensure that the digitsInfo parameter used in formatNumber and related pipes is not controllable by untrusted users or inputs.

Additionally, monitor your application for unusual resource consumption or crashes that may indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart