VulWall Team February 18, 2026 4 min read

Outdated AngularJS Library Can Be Used to Slow Down Your App

Your website uses an old version of AngularJS (a JavaScript framework) that contains a flaw in how it processes certain web addresses. An attacker could send a specially crafted request that causes your server to spend a disproportionate amount of time processing it, potentially slowing down or temporarily making your app unresponsive for other users. This is a medium-severity issue — it's worth fixing, but it's not an emergency.

OWASP A06 Effort: large Exploitable
redos denial-of-service angularjs regex cve eol-library frontend javascript

Business Impact And Actions

medium urgency

Business Impact

If exploited, this could cause temporary slowdowns or brief unavailability of your application for legitimate users. It does not expose customer data or allow attackers to take control of your systems. The main business risk is service disruption, which could affect user experience and, if sustained, trigger uptime-related concerns in customer contracts or compliance reviews. Note that AngularJS itself is no longer maintained by its creators, meaning this vulnerability will never receive an official free patch — making migration the long-term solution.

What To Do

  1. Ask your developer to check whether your application actively uses the AngularJS '$resource' service to make API calls — if it doesn't, your exposure is lower.
  2. Plan to migrate away from AngularJS to a modern, actively maintained framework (such as Angular 17+, React, or Vue). AngularJS is end-of-life and will continue to accumulate unpatched vulnerabilities.
  3. As a short-term measure, ask your developer to add input validation or rate limiting on any API endpoints that receive user-supplied URL parameters.
  4. If migration is not feasible soon, evaluate a commercial extended support option (such as HeroDevs NES for AngularJS) which provides patched versions.

AngularJS <= 1.8.3 ReDoS via $resource Trailing Slash Pattern (CVE-2023-26117)

medium severity CVSS 5.3

Vulnerability Explanation

The AngularJS `$resource` service uses a regular expression to process URL templates that contains an inefficient, potentially exponential worst-case complexity pattern (CWE-1333). When a URL containing a large number of consecutive slashes followed by a non-slash character is passed to `$resource`, the regex engine enters catastrophic backtracking, consuming excessive CPU cycles. An attacker who can influence the URL parameter passed to `$resource` — for example, through a user-controlled route or query parameter — can trigger this condition remotely with no authentication required. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects network-reachable exploitation with no privileges needed, but with only low availability impact.

Root Cause

The root cause is an insufficiently constrained regular expression in the AngularJS `$resource` URL parser. The regex uses a pattern susceptible to catastrophic backtracking when processing pathological inputs with repeated slash characters. Because AngularJS reached end-of-life on December 31, 2021, no upstream patch has been released for the open-source version.

Technical Impact

An attacker can cause the JavaScript event loop (Node.js server-side rendering) or the browser's main thread to stall for an extended period, resulting in denial of service for other users. There is no confidentiality or integrity impact — this is a pure availability issue. Exploitation requires the ability to supply a crafted URL string to a `$resource` call.

Severity Justification

CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Impact is limited to availability (low), with no data exposure or integrity risk. EPSS exploitation probability is approximately 0.27%, indicating low real-world exploitation activity.

Affected Components

  • angular (npm) >= 1.0.0, <= 1.8.3

Remediation Steps

  1. Audit your codebase to identify all uses of AngularJS's `$resource` service and whether URL parameters can be influenced by user input. If `$resource` is not used, risk is negligible.
  2. Preferred long-term fix: migrate to a modern, actively maintained framework (Angular 17+, React, Vue). AngularJS is EOL and will not receive free upstream patches.
  3. Short-term mitigation if migration is not immediately feasible: validate and sanitize all URL strings passed to `$resource` to reject inputs containing sequences of more than a few consecutive slashes (e.g., enforce a regex like `/^[^/]*(/[^/]+)*$/` on inputs before passing them to `$resource`).
  4. If you require a patched drop-in version of AngularJS, evaluate HeroDevs NES for AngularJS (versions 1.9.1+ and 1.5.17+ contain a fix for this CVE) as a commercial extended support option.
  5. Add server-side rate limiting on endpoints that accept user-supplied URL parameters to reduce the impact of any attempted ReDoS attack.

Verification Steps

  1. Search your codebase for `$resource` usage: `grep -r '\$resource' src/` — review each call site to determine if the URL argument can be user-influenced.
  2. If using npm, confirm the installed version: `npm list angular` — it should not show a version <= 1.8.3.
  3. Test the fix by passing a crafted URL with many consecutive slashes (e.g., `/api///////foo`) to any `$resource` call and confirm the application does not hang or spike CPU.

Code Examples (javascript)

Vulnerable
// User-controlled input passed directly to $resource
const userPath = req.query.path; // e.g. '/api///////foo'
const Resource = $resource(userPath);
Resource.query();
Fixed
// Validate input before use — reject paths with consecutive slashes
const userPath = req.query.path;
const safePathPattern = /^\/([a-zA-Z0-9_\-]+\/)*([a-zA-Z0-9_\-]+)?$/;
if (!safePathPattern.test(userPath)) {
  throw new Error('Invalid path parameter');
}
const Resource = $resource(userPath);
Resource.query();

Best Practices

  • Never pass unsanitized user input directly into URL template strings used by HTTP client libraries.
  • Establish a dependency review process to flag end-of-life libraries — EOL packages will accumulate CVEs with no free upstream remediation.
  • Implement server-side rate limiting and request timeout policies to bound the impact of any CPU-exhaustion attack.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base