Bug 2491411 (CVE-2026-54268)

Summary: CVE-2026-54268 @angular/common: Angular @angular/common: Denial of Service via crafted date format string
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, ewittman, flucifre, gmalinko, gmeno, gotiwari, gparvin, groman, janstey, jhorak, mbenjamin, mhackett, mvyas, nipatil, pahickey, pantinor, pdelbell, rhaigner, rhel-process-autobot, rkubis, rstepani, sostapov, vereddy, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `@angular/common` package of the Angular framework. A remote attacker could exploit a Denial of Service (DoS) vulnerability in the `formatDate` function, which is also used by the Angular DatePipe, by providing an excessively long and maliciously crafted date format string. This improper validation of the format parameter's length leads to uncontrolled resource consumption, such as high CPU utilization and excessive memory allocations, ultimately resulting in a Denial of Service for the affected application.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 16:02:01 UTC
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.