CVE-2024-21490 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in Angular version 1.3.0, specifically within the regular expression used to split the value of the ng-srcset directive. The vulnerability stems from the use of a regex pattern that exhibits super-linear runtime complexity due to catastrophic backtracking when processing large, carefully crafted input strings. This can cause the application to consume excessive CPU resources, leading to denial of service conditions. The vulnerability does not require any privileges or user interaction to exploit, making it remotely exploitable over the network. Angular 1.3.0 is an outdated and end-of-life package, meaning no patches will be issued to fix this issue. The recommended remediation is to migrate to the actively maintained @angular/core package, which does not contain this vulnerability. The CVSS 3.1 base score of 7.5 reflects a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and a direct impact on availability. While no known exploits have been reported in the wild, the vulnerability poses a risk to legacy web applications that still rely on Angular 1.3.0, especially those that process user-supplied input in the ng-srcset directive. Attackers could craft malicious payloads to trigger the regex backtracking, causing service outages or degraded performance.

For European organizations, the impact of CVE-2024-21490 primarily involves potential denial of service attacks against web applications using Angular 1.3.0. Such attacks could disrupt availability, leading to downtime, degraded user experience, and potential loss of business continuity. Sectors with high reliance on legacy web applications, such as government portals, financial services, and critical infrastructure, could experience operational disruptions. Additionally, denial of service conditions might be leveraged as part of multi-stage attacks or to distract security teams. Since the vulnerability does not affect confidentiality or integrity directly, data breaches are less likely, but service unavailability can have significant reputational and financial consequences. The lack of patches due to the package being end-of-life increases risk, as organizations must rely on migration or compensating controls. European entities with strict uptime and service-level agreements could face compliance and contractual penalties if affected by outages caused by this vulnerability.

1. Immediate migration from Angular 1.3.0 to the supported and actively maintained @angular/core package is the most effective mitigation, eliminating the vulnerable code entirely. 2. For organizations unable to migrate immediately, implement strict input validation and sanitization on any user-supplied data that could be processed by the ng-srcset directive to prevent malicious payloads triggering catastrophic backtracking. 3. Deploy web application firewalls (WAFs) with custom rules to detect and block suspiciously large or malformed inputs targeting the ng-srcset attribute. 4. Apply rate limiting and anomaly detection on endpoints serving Angular-based applications to mitigate potential denial of service attempts. 5. Monitor application performance metrics and logs for signs of excessive CPU usage or slowdowns indicative of ReDoS exploitation attempts. 6. Educate development and security teams about the risks of using end-of-life software and the importance of timely upgrades. 7. Where migration is not feasible, consider isolating legacy Angular applications behind reverse proxies or API gateways that can enforce additional security controls.