js · @angular/commonCritical
@angular/common formatDate/DatePipe Denial of Service Vulnerability
A Denial of Service vulnerability was discovered in @angular/common's formatDate function and DatePipe.
What changed
A Denial of Service vulnerability was discovered in @angular/common's formatDate function and DatePipe. The format parameter is not properly length-limited, allowing a maliciously long string to cause high CPU and memory consumption, leading to a crash or freeze.
Who it affects
Angular applications using @angular/common that pass user-controlled date format strings to formatDate or DatePipe, especially those with Server-Side Rendering (SSR) or client-side rendering where the main thread can be blocked.
What to do today
Update @angular/common to version 22.0.1, 21.2.17, or 20.3.25, or ensure date format strings are hardcoded or strictly validated to a reasonable length.
The trail
Collected→
Audited→
Written→
Published