Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular’s HttpTransferCache uses a weak 32‑bit hash to generate cache keys for HTTP responses during server‑side rendering. The collision‑prone hash allows an attacker to craft a query string that produces the same 32‑bit hash as a sensitive endpoint. When a victim follows a link containing the colliding parameter, the SSR process executes both the benign and the sensitive request; the cached response for the benign request overwrites the sensitive one in TransferState. This results in the victim receiving data from a different user or having the application’s state tampered with. The weakness is a weak hash function (CWE‑328) combined with key collision (CWE‑345), leading to confidentiality and integrity impacts on data exposed through the cache.

Affected Systems

Angular versions prior to 22.0.1, 21.2.17, and 20.3.25 are affected. The vulnerability exists in the angular:angular product for applications that perform server‑side rendering and rely on HttpTransferCache to cache HTTP responses. Updating the Angular framework to any version equal to or newer than the listed fixed releases protects affected deployments.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity, indicating a significant likelihood of misuse. Although EPSS data is unavailable, the absence from the CISA KEV catalog does not negate the potential for exploitation. Attackers can exploit the weakness simply by convincing a user to load a specially crafted URL that triggers a hash collision during SSR. Because the vulnerability relies on standard HTTP requests, no special privileges are required, making it a network‑level exploitation vector that can affect many users behind an SSR site. The risk to confidential user data and the integrity of client state warrants prompt remediation.

Generated by OpenCVE AI on June 22, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Angular framework to the patched release: 22.0.1 or newer for the 22 series, 21.2.17 or newer for the 21 series, or 20.3.25 or newer for the 20 series.
  • If an upgrade cannot occur immediately, disable server‑side rendering or remove the use of HttpTransferCache for endpoints that return sensitive information.
  • Implement a stronger hash algorithm or add server‑side validation to detect and reject requests that would produce cache key collisions.

Generated by OpenCVE AI on June 22, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-39pv-4j6c-2g6v @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
Weaknesses CWE-328
CWE-345
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:28:42.561Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54266

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-328

    Use of Weak Hash

  • CWE-345

    Insufficient Verification of Data Authenticity