CVE-2023-26117: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26117 affects versions of the Angular package from 1.0.0 onwards, involving a Regular Expression Denial of Service (ReDoS) vulnerability in the $resource service. The vulnerability was discovered by Michael Prentice and George Kalpakas, disclosed on March 26, 2023, and published on March 29, 2023. The issue stems from the usage of an insecure regular expression in the $resource service, which can be exploited through carefully-crafted inputs (Snyk Advisory).

The vulnerability is caused by an insecure regular expression implementation in Angular's $resource service. When the service processes URLs containing multiple consecutive slashes followed by a non-slash character, it can trigger catastrophic backtracking in the regular expression engine. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is classified under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

When exploited, this vulnerability can cause excessive CPU consumption through catastrophic backtracking in the regular expression engine. For example, processing a string with 14 consecutive slashes can require over 65,000 computational steps, significantly impacting system performance. This can lead to reduced service availability or partial denial of service conditions (Snyk Advisory).

Currently, there is no fixed version available for the affected Angular package. No official workarounds have been published by the vendor (Snyk Advisory).