angular Vulnerability Allows XSS Attack

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Angular framework packages used for server‑side rendering and service‑worker functionality, including @angular/platform-server (versions ≤ 18.2.14 and 19.0.0‑next.0 through 22.0.0‑next.0), @angular/service-worker (versions ≤ 19.2.25 and 20.0.0‑next.0 through 22.0.0‑next.0), @angular/common (versions ≤ 19.2.25 and 20.0.0‑next.0 through 22.0.0‑next.0), and @angular/core (versions ≤ 19.2.25 and 20.0.0‑next.0 through 22.0.0‑next.0). The flaws span cross‑site scripting, information disclosure, denial‑of‑service, cache‑key collision leading to data leakage, and hydration‑related DOM clobbering. Exploitation can allow attackers to execute arbitrary scripts in user browsers, steal authentication tokens, crash servers, and poison client state, exposing the organization to credential theft, service interruption, and reputational damage.[emaillocker id="1283"]

• CVE-2026-50556 with a CVSS score of 7.5 – A cross‑site scripting flaw in @angular/platform-server’s handling of elements allows unescaped tags to break out of the element and inject script code; an attacker needs to supply malicious data that is rendered in SSR templates.
• CVE-2026-54264 with a CVSS score of 7.5 – The service‑worker package forwards credentialed request headers on cross‑origin redirects, enabling an attacker who can trigger such a redirect to capture Authorization or session cookies.
• CVE-2026-54268 with a CVSS score of 7.5 – The formatDate function in @angular/common does not limit the length of the format string, so a crafted overly long pattern can exhaust CPU and memory, causing a denial‑of‑service on both server‑side and client‑side rendering.
• CVE-2026-54266 with a CVSS score of 7.5 – A weak 32‑bit hash used for HttpTransferCache keys permits collision attacks, allowing an adversary to poison TransferState and leak or replace sensitive data across requests.
• CVE-2026-50555 with a CVSS score of 7.5 – Hydration code in @angular/core can be tricked by DOM clobbering of the ng‑state script element, letting an attacker inject malicious JSON that poisons the HTTP transfer cache and potentially triggers XSS or privilege escalation.

These combined flaws expose Angular‑based applications to script injection, credential leakage, service outage, and state poisoning across both server‑side and client‑side components. If left unaddressed, attackers could hijack user sessions, steal sensitive data, and render the service unavailable, leading to regulatory penalties and loss of customer trust. Prompt remediation is therefore essential to protect the organization’s digital assets.

RECOMMENDATION:

• We recommend you to update @angular/platform-server to version 22.0.0-rc.2. We recommend you to update @angular/service-worker to version 22.0.1. We recommend you to update @angular/core to version 22.0.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-gxx4-3xcv-f8qx
https://github.com/advisories/GHSA-qxh6-94w6-9r5p
https://github.com/advisories/GHSA-48r7-hpm6-gfxm
https://github.com/advisories/GHSA-39pv-4j6c-2g6v
https://github.com/advisories/GHSA-hqr9-c56f-3x7f
https://github.com/advisories/GHSA-p3vc-36g9-x9gr
https://github.com/advisories/GHSA-q6f4-qqrg-jv6x
https://github.com/advisories/GHSA-xrxm-cp7j-8xf6
https://github.com/advisories/GHSA-rgjc-h3x7-9mwg