Impact
Angular’s client hydration feature uses a predictable element id, 'ng-state', to retrieve state data from a specially crafted <script> tag during server‑side rendered page bootstrap. An attacker who can insert untrusted content that assigns that id to a preceding DOM element can clobber the legitimate hydration container. When Angular resolves the id it receives the attacker‑controlled element and attempts to parse its content as JSON, which can lead to injection of malicious scripts or state corruption. The result can be disclosure of user data, cross‑site scripting, or arbitrary client‑side code execution. This weakness aligns with DOM Clobbering (CWE‑471), Cross‑Site Scripting (CWE‑79), and Session Management (CWE‑807). Based on the description, it is inferred that an attacker must supply content script to enable this exploit.
Affected Systems
All Angular applications built with versions prior to 22.0.1, 21.2.17, or 20.3.25 that use provideClientHydration() in server-side rendering contexts are vulnerable.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.6, indicating high severity. The EPSS score, at 0.00179, indicates a very low but nonzero likelihood of exploitation, and it is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires the attacker to inject or manipulate user‑controlled content that binds to an element id prior to the hydration script. In typical CMS or web application scenarios where input is not rigorously sanitized, this attack can be executed remotely ability to run arbitrary client‑side code.
OpenCVE Enrichment
Github GHSA