CVE-2024-21490: 
Java vulnerability analysis and mitigation

CVE-2024-21490 affects versions of the Angular package from 1.3.0 onwards. The vulnerability involves a regular expression used to split the value of the ng-srcset directive that is vulnerable to super-linear runtime due to backtracking. This vulnerability was discovered by George Kalpakas and disclosed on November 28, 2023. The affected package is end-of-life (EOL) and will not receive any updates to address this issue (Snyk Advisory).

The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity) with a CVSS v3.1 base score of 7.5 (High). The issue occurs in the regular expression parsing of the ng-srcset directive, where carefully-crafted input can cause catastrophic backtracking. The vulnerability is particularly concerning because it can be triggered with network-accessible input and requires no special privileges or user interaction to exploit (Snyk Advisory).

When exploited, this vulnerability can result in a Denial of Service (DoS) condition. The attack causes the service to excessively consume CPU resources due to catastrophic backtracking in the regular expression evaluation, potentially making the application unresponsive. The impact is particularly severe as it affects availability while requiring no special privileges to execute (Snyk Advisory).

As the affected package is EOL, there will be no official security updates. The recommended mitigation is to migrate to @angular/core. For organizations that cannot immediately migrate, commercial support is available from HeroDevs, who have developed a patch for this vulnerability (HeroDevs Advisory).