CVE-2026-54268
Received Received - Intake
Denial of Service in Angular Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54268
EUVD
EUVD-2026-38273
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular angular From 20.0.0-next.0 (inc) to 20.3.25 (exc)
angular angular From 21.0.0-next.0 (inc) to 21.2.17 (exc)
angular angular From 22.0.0-next.0 (inc) to 22.0.1 (exc)
angular angular to 19.2.25 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the Angular framework's @angular/common package, specifically in the formatDate function and the DatePipe utility.

The problem occurs when a maliciously crafted, excessively long date format string is parsed. The internal parser uses a regular expression loop that iteratively splits the string, which leads to uncontrolled resource consumption such as high CPU usage and excessive memory allocation.

As a result, this can cause the server to crash in Server-Side Rendering (SSR) scenarios or freeze the browser tab in Client-Side Rendering (CSR) applications.

The vulnerability affects Angular versions prior to 22.0.1, 21.2.17, and 20.3.25 and is fixed by limiting the maximum length of the date format string to 256 characters.

Impact Analysis

This vulnerability can impact you by causing Denial of Service (DoS) conditions in your Angular applications.

If an attacker can supply or control the date format string (for example, through user input or API responses), they can craft an excessively long format string that triggers high CPU usage and memory consumption.

This can lead to your server crashing in SSR environments or freezing the browser tab in CSR environments, resulting in service unavailability or degraded user experience.

Detection Guidance

This vulnerability can be detected by identifying if your Angular application uses vulnerable versions of the @angular/common package, specifically versions prior to 22.0.1, 21.2.17, and 20.3.25.

Detection involves checking the Angular package version in your project dependencies and monitoring for unusually high CPU or memory usage when processing date format strings.

You can run commands to check the installed Angular version, for example:

  • npm list @angular/common
  • cat package.json | grep @angular/common

Additionally, monitoring system resource usage during application runtime can help detect exploitation attempts, such as using tools like top, htop, or Windows Task Manager to observe CPU and memory spikes.

Mitigation Strategies

The immediate mitigation step is to upgrade the @angular/common package to a patched version where the vulnerability is fixed.

  • Upgrade to Angular versions 22.0.1, 21.2.17, or 20.3.25 or later.

These versions include a validation that limits the length of date format strings to a maximum of 256 characters, throwing an error if exceeded, thus preventing the Denial of Service attack.

If immediate upgrade is not possible, consider implementing input validation to restrict the length of date format strings passed to the formatDate function or DatePipe.

Compliance Impact

The provided information does not specify any direct impact of this Denial of Service (DoS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart