CVE-2026-54268
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
Description
A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). ### Impact #### 1. Server-Side Rendering (SSR) In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a `JavaScript heap out of memory` crash, rendering the application unavailable to all users. #### 2. Client-Side Rendering (CSR) In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive. ### Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 ### Attack Preconditions For this vulnerability to be exploitable, both of the following conditions must be met: 1. **Vulnerable Component Usage:** The application must format dates using the `formatDate` utility or the `DatePipe`. 2. **Attacker-Controlled Parameter:** The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses). *If the date format is hardcoded (e.g., `'mediumDate'`, `'shortTime'`, or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.*
How to fix CVE-2026-54268
To remediate CVE-2026-54268, upgrade the affected package to a fixed version below.
- —upgrade to 22.0.1 or later
Is CVE-2026-54268 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54268.