Vulnerability Description
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Angularjs | Angularjs | >= 1.2.21, <= 1.8.3 |
| Fedoraproject | Fedora | 38 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044ExploitThird Party Advisory
- https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redosExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321ExploitThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044ExploitThird Party Advisory
- https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redosExploitThird Party Advisory
FAQ
What is CVE-2023-26116?
CVE-2023-26116 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. E...
How severe is CVE-2023-26116?
CVE-2023-26116 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26116?
Check the references section above for vendor advisories and patch information. Affected products include: Angularjs Angularjs, Fedoraproject Fedora.