Decorative image for blog on AngularJS CVE 2022-25844
November 14, 2023

AngularJS CVE 2022-25844: Impact and Mitigation Steps


Since AngularJS reached end-of-life on December 31, 2021, a number of vulnerabilities have been discovered. If your organization is among the 15% still running EOL AngularJS*, CVE 2022-25844 could make your applications susceptible to an attack that could hang or crash your system. 

Read on to find out what AngularJS CVE 2022-25844 does, who it impacts, and how to prevent it from being exploited if you are not able to migrate right now to a supported open source framework

*Source: 2024 State of Open Source Report

Back to top

What Is AngularJS CVE-2022-25844?

AngularJS CVE-2022-25844 is a Regular Expression Denial of Service (ReDoS) vulnerability published in the National Vulnerability Database on May 1, 2022 and classified as high severity, with a CVSS score of 7.5. 

Back to top

Who Does AngularJS CVE-2022-25844 Impact?

AngularJS 1.7 and higher versions are affected by this vulnerability; however, the level of risk will depend on whether or not the system is closed off. For example, if the AngularJS-based application is for internal use and protected by a firewall, this reduces the likelihood of a malicious actor being able to successfully exploit it. 

Before taking any action, it’s worth weighing the consequences of an attack against mitigation steps. If you determine that your application is vulnerable, consider how damaging an exploit would be — would it cause applications to crash? Bring down a critical application? How complicated would it be to get things up and running again? Are there other vulnerable applications on the long-term roadmap?

Back to top

How Does CVE-2022-25844 Work?

CVE 2022-25844 enables someone to add a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. This means hackers can craft inputs that purposefully force the regular expression (RegEx) to excessively backtrack, or rerun commands endlessly, which causes a spike in CPU consumption that could overwhelm the system. This could prevent it from taking new requests and ultimately bring the system down.

Back to top

Consequences of an AngularJS CVE-2022-25844 Exploit

At a minimum, an exploit of this vulnerability would impact performance by using too much CPU on a web page, preventing the page from loading and causing the browser to freeze. If done repeatedly, it could affect the computer's performance, eventually causing many applications to be slowed down or completely overwhelmed. On a site that gets a lot of traffic, this would quickly wreak havoc, inconveniencing many users and damaging the business — which is likely the attacker’s goal.

Some good news: ReDoS attacks don’t result in personal data getting stolen because it is just about denial of service. However, they can still cause significant reputational damage and be very costly; according to the penetration testing firm Securitum, ReDoS exploits “can disrupt vital business operations or lead to extended downtime, culminating in revenue and productivity losses.” Imagine you are a retailer and your e-commerce site crashes on Black Friday. In addition to the barrage of customer service complaints, the impact to revenue could be catastrophic.

Back to top

How to Protect Against CVE-2022-25844

In the case of a ReDoS attack, throttling requests doesn’t solve the issue because the exploit is internal — the number of requests coming in is not the problem. So the first line of defense is to discover where the nefarious request is coming from and tell your system not to accept requests from that IP anymore. This walls off your system temporarily, but it’s not a permanent fix because a persistent hacker will just find another way in. 

Another temporary measure would be to disable the vulnerable feature or page in the application; however, that has some obvious drawbacks, since those pages could be essential to the application’s mission. Permanent resolution requires making changes to the way the application uses the framework or patching the framework itself.

If you don’t have the resources or expertise in-house to code, compile, and distribute a patch, your best bet is to find a third party who can provide long-term support (LTS). OpenLogic’s AngularJS LTS includes access to a private repository of security patches for medium to high severity CVEs, as well as workarounds and fixes for browser updates that cause breaking changes. Our enterprise architects can also help you explore AngularJS alternatives so you can plan your migration off AngularJS.   

Back to top

Final Thoughts

AngularJS vulnerabilities like CVE 2022-25844 allow hackers to inject a malicious string into the RegEx that basically turns it into a pry bar to get into the system and bring it down.  A Snyk report from 2019 found that ReDoS attacks are on the rise, perhaps because they are relatively easy to execute. They also may be underreported because if customer data isn’t exposed, companies may not have to disclose the attack. But make no mistake — CVEs like 2022-25844 can be devastating and if you are on AngularJS 1.7 or above, doing nothing could be a decision you come to regret. 

Need Patches for Your AngularJS?

Minimizing your exposure to CVEs is a necessity. Our team can help assess your infrastructure and determine the steps to make it more secure. Talk to an expert today to schedule your assessment.

Talk to an AngularJS Expert

Additional Resources

Back to top