CVE-2024-21490

Description

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

How to fix CVE-2024-21490

To remediate CVE-2024-21490, upgrade the affected package to a fixed version below.

• —upgrade to 1.8.3-1+deb12u1~deb11u1 or later
• —no fix listed
• —no fix listed
• —no fix listed

Is CVE-2024-21490 being exploited?

Low — EPSS is 2.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 1.8.3-1+deb12u1~deb11u1
• >= 1.3.0, <= 1.8.3
• >= 1.3.0, <= 1.8.3
• >= 1.3.0, <= 1.8.3

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21490
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-21490
• PATCHgithub.com/angular/angular.js
• WEBlists.debian.org/debian-lts-announce/2025/07/msg00005.html
• WEB