CVE-2022-25844: Regular Expression Denial of Service (ReDoS)
First published: Sun May 01 2022(Updated: )
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Angularjs Angular | >=1.7.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| NetApp ONTAP Select Deploy administration utility |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/
- https://security.netapp.com/advisory/ntap-20220629-0009/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
- https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
- https://stackblitz.com/edit/angularjs-material-blank-zvtdvb
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/
Frequently Asked Questions
What is CVE-2022-25844?
CVE-2022-25844 is a vulnerability in the Angular package after version 1.7.0 that allows for Regular Expression Denial of Service (ReDoS) attacks.
How does CVE-2022-25844 work?
CVE-2022-25844 works by allowing an attacker to provide a custom locale rule that can result in a high value assignment, leading to a ReDoS vulnerability.
Which software versions are affected by CVE-2022-25844?
Angular versions after 1.7.0, Fedora 35, Fedora 36, and NetApp ONTAP Select Deploy administration utility are affected by CVE-2022-25844.
What is the severity of CVE-2022-25844?
CVE-2022-25844 has a severity level of high, with a severity value of 7.5.
How can I fix CVE-2022-25844?
To fix CVE-2022-25844, update your Angular package to a version after 1.7.0 or apply the necessary patches or updates provided by the vendor.
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/title
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/angularjs
- canonical/angularjs angular
- version/angularjs angular/1.7.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/netapp
- canonical/netapp ontap select deploy administration utility