Vulnerability Description
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Angularjs | Angularjs | >= 1.7.0 |
| Fedoraproject | Fedora | 35 |
| Netapp | Ontap Select Deploy Administration Utility | - |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220629-0009/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735ExploitThird Party Advisory
- https://stackblitz.com/edit/angularjs-material-blank-zvtdvbExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220629-0009/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737ExploitThird Party Advisory
FAQ
What is CVE-2022-25844?
CVE-2022-25844 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() ...
How severe is CVE-2022-25844?
CVE-2022-25844 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25844?
Check the references section above for vendor advisories and patch information. Affected products include: Angularjs Angularjs, Fedoraproject Fedora, Netapp Ontap Select Deploy Administration Utility.