AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-p3vc-36g9-x9gr: @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

highvulnerability

security

Source: GitHub Advisory DatabaseJune 15, 2026CVE-2026-50171

Summary

Angular's `formatNumber` function (used by DecimalPipe, PercentPipe, and CurrencyPipe for formatting numbers in templates) has a vulnerability where it doesn't limit how large the `digitsInfo` parameter (which specifies decimal places, like '1.2-4') can be. An attacker who can control this parameter can force the function into an unbounded loop that crashes the server with an out-of-memory error in server-side applications, or freezes the user's browser in client-side applications.

Solution / Mitigation

Update to one of these patched versions: Angular 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 15, 2026

Classification

Attack SophisticationTrivial

Impact (CIA+S)

availability

Affected Packages

@angular/common@>= 21.0.0-next.0, < 21.2.15 (fixed: 21.2.15)@angular/common@<= 18.2.14@angular/common@>= 19.0.0-next.0, < 19.2.23 (fixed: 19.2.23)@angular/common@>= 20.0.0-next.0, < 20.3.22 (fixed: 20.3.22)@angular/common@>= 22.0.0-next.0, < 22.0.0-rc.2 (fixed: 22.0.0-rc.2)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-p3vc-36g9-x9gr

First tracked: June 15, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%