CVE-2023-26116 — angular vulnerable to regular expression denial of service via the angular.copy(

Description

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

How to fix CVE-2023-26116

To remediate CVE-2023-26116, upgrade the affected package to a fixed version below.

—upgrade to 1.8.3-1+deb12u1~deb11u1 or later
—no fix listed

Is CVE-2023-26116 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.8.3-1+deb12u1~deb11u1
from 0, <= 1.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-26116
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-26116
PATCHgithub.com/angular/angular.js
WEBlists.debian.org/debian-lts-announce/2025/07/msg00005.html