VulWall Team February 18, 2026 4 min read

Outdated JavaScript Framework Can Be Used to Take Your App Offline

Your application uses AngularJS 1.8.3, an outdated JavaScript framework that contains a known security flaw (CVE-2024-21490). An attacker can send a specially crafted request that causes your app to freeze or crash — making it unavailable to your customers. Importantly, AngularJS reached its official end of life in December 2021 and will never receive a patch for this issue.

OWASP A06 Effort: large Exploitable
redos denial-of-service angularjs regex eol-framework cve frontend ng-srcset javascript cve-2024-21490

Business Impact And Actions

high urgency

Business Impact

If exploited, this vulnerability can make your web application completely unresponsive, resulting in service downtime for your customers. Downtime directly affects revenue, customer trust, and — depending on your industry — may trigger SLA breaches or compliance concerns. Because no official patch exists for AngularJS, the risk will persist until the framework is replaced.

What To Do

  1. Ask your development team to assess how much of your application relies on AngularJS — this will determine the scope of the migration effort.
  2. Plan a migration away from AngularJS to a modern, actively maintained framework (such as Angular, React, or Vue). This is the only permanent fix.
  3. As a short-term measure, ask your developer to add input length limits on any form fields or URL inputs that feed into image-related components, to reduce the chance of a successful attack.
  4. If a full migration is not immediately feasible, ask your developer to evaluate commercial long-term support options for AngularJS (e.g., HeroDevs NES) that provide security patches for EOL versions.

AngularJS 1.x ReDoS via ng-srcset Directive (CVE-2024-21490)

high severity

Vulnerability Explanation

The AngularJS `ng-srcset` directive uses a regular expression to split its attribute value into individual image source URLs. This regex is susceptible to catastrophic backtracking when given a large, carefully crafted input string — for example, a long sequence of URLs separated by many spaces and commas. The JavaScript regex engine must explore an exponentially growing number of matching paths, causing CPU to spike and the browser tab or Node.js server thread to hang. The attack requires no authentication and no user interaction: any endpoint that renders attacker-controlled content inside an `ng-srcset` attribute is a viable attack surface.

Root Cause

The root cause is an inefficiently designed regular expression in AngularJS's `ng-srcset` directive handler that does not account for worst-case backtracking complexity. Because AngularJS reached end of life on December 31, 2021, no official patch has been or will be issued for this flaw.

Technical Impact

An unauthenticated remote attacker can trigger a Denial of Service (DoS) by supplying a crafted `ng-srcset` value. This causes the application to become unresponsive — either hanging the browser tab (client-side rendering) or spiking CPU on the server (server-side rendering / Node.js). Availability is fully impacted; confidentiality and integrity are not affected.

Severity Justification

CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Network-exploitable with no privileges or user interaction required. Impact is limited to availability — no data exposure or integrity risk.

Affected Components

  • angular (AngularJS) >= 1.3.0 and <= 1.8.3

Remediation Steps

  1. Audit your codebase to identify all uses of the `ng-srcset` directive and any dynamic data bound to it from user-controlled sources.
  2. Migrate from AngularJS (`angular` npm package) to a supported framework. The official recommendation is `@angular/core` (modern Angular). React and Vue are also viable alternatives depending on your stack.
  3. If a full migration is not immediately feasible, evaluate commercial long-term support from HeroDevs (NES), which has issued a patch for this CVE in versions 1.9.3+ and 1.5.19+.
  4. As a short-term mitigation, implement strict server-side input validation to reject or truncate abnormally long strings before they are bound to `ng-srcset` attributes.
  5. After migration, remove the `angular` npm package entirely and audit `package.json` and `package-lock.json` to confirm no transitive dependency re-introduces it.

Verification Steps

  1. Run `npm list angular` or `grep -r '"angular"' package.json package-lock.json` to confirm the vulnerable package is no longer present.
  2. Search the codebase for `ng-srcset` usages: `grep -r 'ng-srcset' src/` — verify none remain bound to unvalidated user input.
  3. Use a dependency audit tool (`npm audit` or Snyk CLI) after migration to confirm CVE-2024-21490 is no longer reported.
  4. If using HeroDevs NES, verify the installed version is >= 1.9.3 (1.9 branch) or >= 1.5.19 (1.5 branch).

Best Practices

  • Never use end-of-life frontend frameworks in production — subscribe to EOL calendars (e.g., endoflife.date) and plan migrations before support ends.
  • Validate and sanitize all user-supplied input server-side before it is rendered into any HTML attribute, including image source sets.
  • Regularly run `npm audit` or integrate a software composition analysis (SCA) tool into your CI/CD pipeline to catch vulnerable dependencies automatically.
  • When evaluating regex patterns in your own code, use tools like regex101.com or safe-regex to check for catastrophic backtracking potential.

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base