Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular’s client hydration feature uses a predictable element id, 'ng-state', to retrieve state data from a specially crafted <script> tag during server‑side rendered page bootstrap. An attacker who can insert untrusted content that assigns that id to a preceding DOM element can clobber the legitimate hydration container. When Angular resolves the id it receives the attacker‑controlled element and attempts to parse its content as JSON, which can lead to injection of malicious scripts or state corruption. The result can be disclosure of user data, cross‑site scripting, or arbitrary client‑side code execution. This weakness aligns with DOM Clobbering (CWE‑471), Cross‑Site Scripting (CWE‑79), and Session Management (CWE‑807). Based on the description, it is inferred that an attacker must supply content script to enable this exploit.

Affected Systems

All Angular applications built with versions prior to 22.0.1, 21.2.17, or 20.3.25 that use provideClientHydration() in server-side rendering contexts are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity. The EPSS score, at 0.00179, indicates a very low but nonzero likelihood of exploitation, and it is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires the attacker to inject or manipulate user‑controlled content that binds to an element id prior to the hydration script. In typical CMS or web application scenarios where input is not rigorously sanitized, this attack can be executed remotely ability to run arbitrary client‑side code.

Generated by OpenCVE AI on July 12, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to version 22.0.1, 21.2.17, or 20.3.25.
  • Ensure any user‑supplied values that are bound to element ids are sanitized or removed; avoid using the id 'ng-state' in dynamic content.
  • If an upgrade cannot be performed immediately, disable programmatic hydration by removing provideClientHydration() or rendering the page without SSR until the patch is applied.

Generated by OpenCVE AI on July 12, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rgjc-h3x7-9mwg Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
History

Fri, 10 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate


Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
Weaknesses CWE-471
CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T16:00:36.910Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54267

cve-icon Vulnrichment

Updated: 2026-06-22T16:00:32.310Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:30:48Z

Links: CVE-2026-54267 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T11:15:16Z

Weaknesses
  • CWE-471

    Modification of Assumed-Immutable Data (MAID)

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision