CVE-2026-54267 - High Severity Vulnerability
Vulnerable Library - core-12.2.5.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ core-12.2.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via "provideClientHydration()". During SSR, Angular serializes the application's runtime state (such as cached "HttpClient" responses) and outputs it into the HTML stream as a "<script>" tag with a predictable identifier: <script type="application/json" id="ng-state"> {"some-api-url": {"body": ...}} </script>During client bootstrap, Angular recovers this state by looking up the element via "document.getElementById('ng-state')" and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector ("ng-state"), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as "id" (e.g., "<div [id]="userInput">" or "") before the genuine "<script>" tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls "document.getElementById('ng-state')", the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. Impact By clobbering the state element, the attacker can inject a custom JSON payload into Angular's "TransferState" cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache. 1. The attacker injects a clobbered "ng-state" element containing custom JSON. 2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice. 3. During client-side initialization, Angular's "HttpClient" checks "TransferState" before making requests. Finding the poisoned key, "HttpClient" returns the forged response instantly instead of requesting the genuine backend API. Depending on how the application processes and renders the affected API response, this can lead to: * DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings. * Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads. * UI Hijacking and redirection by spoofing configuration endpoints. Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 Workarounds If you cannot immediately update to a patched Angular version, apply the following workarounds: A. Avoid Dynamic/User-Controlled IDs Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix: <div [id]="userControlledInput">... <div [id]="'safe-prefix-' + userControlledInput">... B. Configure a Custom Application ID Declaring a unique, non-predictable "APP_ID" changes the ID suffix of the state element, making it harder for attackers to predict and target: // app.config.ts import { APP_ID } from '@angular/core'; import { provideClientHydration } from '@angular/platform-browser'; export const appConfig = { providers: [ { provide: APP_ID, useValue: 'unique-obfuscated-app-id' }, provideClientHydration() ] }; This changes the state element lookup ID from "ng-state" to "unique-obfuscated-app-id-state".
Publish Date: 2026-06-15
URL: CVE-2026-54267
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rgjc-h3x7-9mwg
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25
CVE-2026-54267 - High Severity Vulnerability
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via "provideClientHydration()". During SSR, Angular serializes the application's runtime state (such as cached "HttpClient" responses) and outputs it into the HTML stream as a "<script>" tag with a predictable identifier: <script type="application/json" id="ng-state"> {"some-api-url": {"body": ...}} </script>During client bootstrap, Angular recovers this state by looking up the element via "document.getElementById('ng-state')" and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector ("ng-state"), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as "id" (e.g., "<div [id]="userInput">" or "") before the genuine "<script>" tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls "document.getElementById('ng-state')", the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. Impact By clobbering the state element, the attacker can inject a custom JSON payload into Angular's "TransferState" cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache. 1. The attacker injects a clobbered "ng-state" element containing custom JSON. 2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice. 3. During client-side initialization, Angular's "HttpClient" checks "TransferState" before making requests. Finding the poisoned key, "HttpClient" returns the forged response instantly instead of requesting the genuine backend API. Depending on how the application processes and renders the affected API response, this can lead to: * DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings. * Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads. * UI Hijacking and redirection by spoofing configuration endpoints. Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 Workarounds If you cannot immediately update to a patched Angular version, apply the following workarounds: A. Avoid Dynamic/User-Controlled IDs Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix: <div [id]="userControlledInput">... <div [id]="'safe-prefix-' + userControlledInput">... B. Configure a Custom Application ID Declaring a unique, non-predictable "APP_ID" changes the ID suffix of the state element, making it harder for attackers to predict and target: // app.config.ts import { APP_ID } from '@angular/core'; import { provideClientHydration } from '@angular/platform-browser'; export const appConfig = { providers: [ { provide: APP_ID, useValue: 'unique-obfuscated-app-id' }, provideClientHydration() ] }; This changes the state element lookup ID from "ng-state" to "unique-obfuscated-app-id-state".
Publish Date: 2026-06-15
URL: CVE-2026-54267
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-rgjc-h3x7-9mwg
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25