Impact
Angular’s @angular/core implementation contains a flaw in the dynamic component creation API that allows an attacker to mount a component directly onto a <script> or a namespaced script tag such as <svg:script>. The createComponent function accepts a selector string that can be supplied by an attacker; by providing a selector of "script" the framework renders that element and executes its contents. This enables the execution of arbitrary JavaScript in the context of the user’s browser, leading to classic client‑side XSS. The primary consequence is that an attacker who can influence the host element or selector parameter used in a createComponent call can embed malicious scripts into a page. This can result in theft of session cookies, defacement of the application, or credential phishing, all of which occur silently without requiring any privileges on the attacker’s side. The CVSS score of 5.3 places the vulnerability in the moderate severity range, while an EPSS score of less than 1 % indicates a very low likelihood of exploitation to date. It is not listed in CISA’s KEV catalog, but the attack surface remains real for Angular applications that expose dynamic component creation to untrusted input. The weakness is reflected by CWE‑79 (Cross‑Site Scripting) and CWE‑791 (Index Of Returned Pointer Not Checked).
Affected Systems
Angular framework (full), including the @angular/core package. Versions prior to 22.0.0‑rc.2, 21.2.15, 20.3.22, and 19.2.23 are vulnerable. Upgrading to any subsequent release that incorporates the fix resolves the issue.
Risk and Exploitability
This flaw is exploitable without additional privileges. An attacker who can supply the selector or host element to createComponent—common in applications that pass user input to component creation—can inject a <script> tag that runs untrusted code. The moderate CVSS score indicates significant impact if executed, and while exploitation probability is currently very low (EPSS < 1 %), the ease of attack in suitable environments mandates timely patching. The vulnerability is not yet in the KEV catalog, but monitoring for potential exploit activity is advisable.
OpenCVE Enrichment
Github GHSA