Denial of Service Vulnerability in Angular's @angular/common Package
CVE-2026-54268

8.2HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54268?

A Denial of Service vulnerability exists in the @angular/common package of Angular before versions 22.0.1, 21.2.17, and 20.3.25. The issue stems from the formatDate function, which lacks proper validation of the format parameter length. This allows an attacker to craft an excessively long date format string that, when processed, causes the parser to loop and exhaust system resources. Consequently, this could lead to high CPU consumption and significant memory usage, crippling the application and denying legitimate users access. It is crucial for users to upgrade to the patched versions to mitigate this risk.

Affected Version(s)

angular >= 22.0.0-next.0 < 22.0.1 < 22.0.0-next.0 22.0.1

angular >= 21.0.0-next.0 < 21.2.17 < 21.0.0-next.0 21.2.17

angular >= 20.0.0-next.0 < 20.3.25 < 20.0.0-next.0 20.3.25

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/69197
x_refsource_MISC
https://github.com/angular/angular/commit/eeb03f4ea310e2e...
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.