Intel

AIKIDO-2026-602771

@angular-devkit/build-angular is vulnerable to OS Command Injection

OS Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

44

Medium Risk

This Affects:

JS@angular-devkit/build-angular
17.0.0 - 22.0.4
Fixed in 22.0.5
Are you affected? Scan for Free

TL;DR

The ssr-dev-server builder in @angular-devkit/build-angular starts the SSR server by joining the command and its arguments into a single string and running it with a shell enabled. The server output path taken from the project angular.json configuration is inserted into that string with manual quoting, so a crafted output path value containing shell command substitution or metacharacters is evaluated by the shell when the dev server starts. This allows arbitrary operating system commands to run with the privileges of the developer executing the build. The fix passes the command and arguments separately to the process spawn call and removes the manual quoting and the shell option.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run the ssr-dev-server builder on a project whose output path configuration comes from an untrusted source.

Background info

@angular-devkit/build-angular is vulnerable to OS Command Injection in versions 17.0.0 - 22.0.4.

How to fix this

Upgrade the @angular-devkit/build-angular library to the patch version.