Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN633
_____________________________________________________________________

DATE                : 15/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running @angular/core (npm), 
               @angular/common (npm), @angular/service-worker (npm),
               @angular/compiler (npm) versions prior to 22.0.1,
                               21.2.17, 20.3.25.

=====================================================================
https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v
https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg
https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p
https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm
https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5
_____________________________________________________________________


Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to
Cross-Request Data Leakage and State Poisoning

High
alan-agius4 published GHSA-39pv-4j6c-2g6v Jun 10, 2026

Package
@angular/common (npm)

Affected versions
>= 22.0.0-next.0 < 22.0.1
>= 21.0.0-next.0 < 21.2.17
>= 20.0.0-next.0 < 20.3.25
<= 19.2.25

Patched versions
22.0.1
21.2.17
20.3.25
none


Description

Angular's HttpTransferCache caches HTTP requests made during Server-Side
Rendering (SSR) so that they can be reused during client-side hydration.
This avoids repeating the same HTTP requests on the client. The cached
responses are stored in TransferState using a cache key generated by
hashing request properties (method, response type, mapped URL,
serialized body, and sorted query parameters).

The cache keys are generated using a weak 32-bit DJB2-like polynomial
rolling hash. The 32-bit hash space is extremely small, allowing attackers
to find hash collisions.

An attacker can easily find a query parameter string (e.g., q=aaCAZMMM
for a search request) that produces the exact same 32-bit hash as a
sensitive endpoint (e.g., /api/user/profile). When a victim visits a
crafted link containing the colliding parameter, the SSR process executes
both the search request and the profile request. Due to the hash
collision, the search response overwrites the profile response in the
TransferState cache.


Impact

When the application attempts to retrieve the cached response for the
sensitive endpoint (such as the user's profile), it receives the
attacker-controlled response instead. This results in:

    State Poisoning: The application runs with attacker-forged data, which
can lead to bypassing client-side security controls or DOM-based
Cross-Site Scripting (XSS) if the data is rendered unsafely.

    Information Leakage: If the sensitive response is mistakenly associated
with the attacker's search results and rendered on the page, the victim's
sensitive data may be disclosed to the attacker.


Patched Versions

    22.0.1
    21.2.17
    20.3.25

Framework-Level Fix

The logic has been updated to use a cryptographically secure SHA-256 hash
algorithm for generating TransferState cache keys in HttpTransferCache. The
cache keys are now 256-bit hexadecimal strings.
Workarounds

If you cannot upgrade immediately, configure your HttpClient requests to
skip transfer caching for sensitive endpoints:

this.http.get('/api/user/profile', {
  transferCache: false
});

Alternatively, disable the HTTP transfer cache globally in your application
bootstrap config:

import { provideClientHydration, withNoHttpTransferCache } from '@angular/platform-browser';

export const appConfig = {
  providers: [
    provideClientHydration(
      withNoHttpTransferCache()
    )
  ]
};


References

    #69153


Credits

This vulnerability was discovered and reported by CodeMender from
Google DeepMind.


Severity
High
8.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVE ID
CVE-2026-54266
Weaknesses
Weakness CWE-328
Weakness CWE-345
Credits

    @alan-agius4 alan-agius4 Remediation developer
    @JeanMeche JeanMeche Remediation reviewer
    @josephperrott josephperrott Other

_____________________________________________________________________

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
High
alan-agius4 published GHSA-rgjc-h3x7-9mwg Jun 10, 2026

Package
@angular/core (npm)

Affected versions
>= 22.0.0-next.0 < 22.0.1
>= 21.0.0-next.0 < 21.2.17
>= 20.0.0-next.0 < 20.3.25
<= 19.2.25

Patched versions
22.0.1
21.2.17
20.3.25
none


Description

To optimize client-side bootstrap in Server-Side Rendered (SSR)
environments, Angular supports Hydration via provideClientHydration().
During SSR, Angular serializes the application's runtime state (such
as cached HttpClient responses) and outputs it into the HTML stream
as a <script> tag with a predictable identifier:

<script type="application/json" id="ng-state">
    {"some-api-url": {"body": ...}}
</script>

During client bootstrap, Angular recovers this state by looking up
the element via document.getElementById('ng-state') and parsing its
text content.

Because the DOM element lookup for the state container is
predictable and relies solely on the ID selector (ng-state), it is
susceptible to DOM Clobbering.

If the application binds untrusted user input or CMS content to
element properties such as id (e.g., <div [id]="userInput"> or
<a id="ng-state">) before the genuine <script> tag is parsed by the
browser, the attacker-controlled element takes precedence in the
DOM lookup.

During hydration, when Angular calls
document.getElementById('ng-state'), the browser returns the
attacker's clobbered element. Angular then attempts to parse the
text content or attributes of this clobbered element as JSON.
Impact

By clobbering the state element, the attacker can inject a custom
JSON payload into Angular's TransferState cache. The most critical
exploitation vector is poisoning the HTTP Transfer Cache.

    The attacker injects a clobbered ng-state element containing
custom JSON.

    The JSON maps a key (representing a target API endpoint URL) to
a malicious payload of the attacker's choice.

    During client-side initialization, Angular's HttpClient checks
TransferState before making requests. Finding the poisoned key,
HttpClient returns the forged response instantly instead of
requesting the genuine backend API.

Depending on how the application processes and renders the
affected API response, this can lead to:

    DOM-based Cross-Site Scripting (XSS) if poisoned fields are
rendered using unsafe bindings.

    Privilege Escalation by spoofing user info or session details
retrieved from poisoned API payloads.

    UI Hijacking and redirection by spoofing configuration
endpoints.


Patched Versions

    22.0.1
    21.2.17
    20.3.25


Workarounds

If you cannot immediately update to a patched Angular version,
apply the following workarounds:
A. Avoid Dynamic/User-Controlled IDs

Avoid binding raw user-supplied values or dynamic CMS IDs directly
to element attributes. If dynamic IDs are required, sanitize them
or prepend a static safe prefix:

<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>

<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>

B. Configure a Custom Application ID

Declaring a unique, non-predictable APP_ID changes the ID suffix of
the state element, making it harder for attackers to predict and
target:

// app.config.ts

import { APP_ID } from '@angular/core';
import { provideClientHydration } from '@angular/platform-browser';

export const appConfig = {
  providers: [
    { provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
    provideClientHydration()
  ]
};

This changes the state element lookup ID from ng-state to
unique-obfuscated-app-id-state.


References

    #69064


Severity
High
8.6/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-54267

Weaknesses
Weakness CWE-79
Weakness CWE-471

Credits

    @SkyZeroZx SkyZeroZx Reporter
    @AndrewKushnir AndrewKushnir Remediation reviewer
    @alan-agius4 alan-agius4 Remediation reviewer
    @josephperrott josephperrott Other
    @JeanMeche JeanMeche Remediation reviewer

_____________________________________________________________________


Sensitive Header Leakage on Cross-Origin Redirects in Angular Service
Worker

High
alan-agius4 published GHSA-qxh6-94w6-9r5p Jun 10, 2026

Package
@angular/service-worker (npm)

Affected versions
>= 22.0.0-next.0 < 22.0.1
>= 21.0.0-next.0 < 21.2.17
>= 20.0.0-next.0 < 20.3.25
<= 19.2.25

Patched versions
22.0.1
21.2.17
20.3.25
none


Description

An information disclosure vulnerability exists in the
@angular/service-worker package of the Angular framework. When the
Service Worker fetches assets, it preserves metadata (such as headers)
from the original request. However, on cross-origin redirects,
the Service Worker fails to strip sensitive headers, violating the
Fetch redirect algorithm.

This allows a remote attacker to obtain sensitive credentials (e.g.,
Authorization tokens, Proxy-Authorization credentials, or session
cookies) by triggering a cross-origin redirect to an untrusted
external origin.


Impact

If an application configured with the Angular Service Worker fetches
assets with credential headers (such as Authorization header), and
one of those requests is redirected to a different origin, the Service
Worker will forward those headers to the new origin. This exposes
critical credentials and session identifiers to unauthorized
third-party servers.


Attack Preconditions

For this vulnerability to be exploitable:

    Vulnerable Configuration: The application must utilize the
@angular/service-worker package to fetch assets.
    Credentialed Requests: The application must attach sensitive
request headers (like Authorization, Proxy-Authorization, or rely
on cookies) to asset-group requests.
    Redirect Flow: These requests must encounter a cross-origin
redirect to an attacker-controlled or untrusted domain.


Patched Versions

    22.0.1
    21.2.17
    20.3.25


References

    #69029


Credits

This vulnerability was discovered and reported by CodeMender from
Google DeepMind.


Severity
High
8.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality High
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CVE ID
CVE-2026-54264

Weaknesses
Weakness CWE-200
Weakness CWE-359

Credits

    @SkyZeroZx SkyZeroZx Remediation developer
    @alan-agius4 alan-agius4 Remediation reviewer
    @JeanMeche JeanMeche Remediation reviewer
    @josephperrott josephperrott Other


_____________________________________________________________________


Denial of Service (DoS) via OOM in Date Formatting (formatDate)
High
alan-agius4 published GHSA-48r7-hpm6-gfxm Jun 10, 2026

Package
@angular/common (npm)

Affected versions
>= 22.0.0-next.0 < 22.0.1
>= 21.0.0-next.0 < 21.2.17
>= 20.0.0-next.0 < 20.3.25
<= 19.2.25

Patched versions
22.0.1
21.2.17
20.3.25
none

Description

A Denial of Service (DoS) vulnerability exists in the @angular/common
package of the Angular framework. The formatDate function, which is also
utilized by the standard Angular DatePipe, does not properly limit or
validate the length of the format parameter.

When parsing a maliciously crafted, excessively long date format string
(e.g., a repeating pattern or very large string), the internal parser
splits the string iteratively using a regular expression loop. This
results in uncontrolled resource consumption (high CPU utilization and
excessive memory allocations), leading to a Denial of Service (DoS).


Impact
1. Server-Side Rendering (SSR)

In Angular applications that leverage Server-Side Rendering, an attacker
can supply a malicious payload with an excessively long date format
string. Processing this on the server causes high CPU usage and triggers
a JavaScript heap out of memory crash, rendering the application
unavailable to all users.

2. Client-Side Rendering (CSR)

In standard client-side applications, executing the vulnerable function
with an excessively long format string blocks the browser's main thread,
causing the browser tab to freeze and become completely unresponsive.


Patched Versions

    22.0.1
    21.2.17
    20.3.25

Attack Preconditions

For this vulnerability to be exploitable, both of the following
conditions must be met:

    Vulnerable Component Usage: The application must format dates
using the formatDate utility or the DatePipe.
    Attacker-Controlled Parameter: The date format string passed
to these utilities must be customizable or directly controlled by
untrusted user input (e.g., parsed from query parameters, user
preferences, or API responses).

If the date format is hardcoded (e.g., 'mediumDate', 'shortTime',
or static strings) or properly validated to be within a reasonable
length limit, the application is not vulnerable.


References

    #69197


Severity
High
8.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-54268

Weaknesses
Weakness CWE-400
Weakness CWE-1333

Credits

    @JeanMeche JeanMeche Remediation reviewer
    @alan-agius4 alan-agius4 Remediation reviewer
    @SkyZeroZx SkyZeroZx Remediation developer
    @josephperrott josephperrott Other


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================