AIKIDO-2026-657895
@angular/core is vulnerable to Cross-Site Scripting (XSS)
86
High Risk
This Affects:
@angular/coreTL;DR
Client hydration restores serialized application state by locating a predictable ng-state script element with getElementById. Attacker-controlled element id values rendered before that script can clobber the lookup via DOM clobbering. Angular then parses forged JSON from the clobbered element and can poison HttpTransferCache entries during bootstrap. The fix requires the recovered state container to be a real SCRIPT element before parsing its contents.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your SSR application enables client hydration while rendering user-influenced element identifiers before the hydration state script.
Background info
@angular/core is vulnerable to Cross-Site Scripting (XSS) in versions 20.0.0 - 20.3.24, 21.0.0 - 21.2.16 and 22.0.0 - 22.0.0.
How to fix this
Upgrade the @angular/core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant