Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated, but high complexity because it requires a vulnerable SSR+hydration deployment behind a misconfigured shared cache; high confidentiality impact crossing user-trust boundary (scope change), no integrity or availability impact.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState.
However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability.
Impact
Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when:
- The SSR-rendered HTML containing the cached private data is stored in a shared cache (e.g., CDN, reverse proxy).
- Subsequent requests for the same page receive the cached HTML containing the first user's private data.
Attack Preconditions
- SSR and Hydration Enabled: The Angular application must be configured to use Server-Side Rendering and hydration (e.g., using
provideClientHydration()). - Credentialed Requests during SSR: The application must perform HTTP requests that require user-specific authentication (using cookies or
withCredentials: true) during the initial server-side render. - Shared Caching: The application's HTML responses must be cached by a shared caching layer (CDN, reverse proxy, or server-side cache) without proper cache-control headers to distinguish authenticated users.
Patches
- 22.0.0-rc.2
- 21.2.15
- 20.3.22
- 19.2.23
AnalysisAI
Information disclosure in @angular/common HttpTransferCache allows unauthenticated attackers to obtain other users' private data when Server-Side Rendering and hydration are enabled. The flaw stems from the cache failing to inspect the withCredentials flag or Cookie header, allowing credentialed responses to be serialized into SSR HTML and inadvertently shared via downstream CDN/reverse-proxy caches. No public exploit identified at time of analysis, but a vendor patch and detailed advisory describing the conditions are available.
Technical ContextAI
Angular's @angular/common npm package provides the HttpTransferCache utility, which optimizes hydration by caching outgoing HEAD/GET HttpClient requests made during SSR and replaying them on the client via TransferState. Prior to the fix, shouldCacheRequest only excluded requests carrying Authorization or Proxy-Authorization headers; it did not check for the Cookie header or the withCredentials flag, both of which are the canonical mechanisms used to associate an HTTP request with a specific authenticated user. This is a CWE-524 (Use of Cache Containing Sensitive Information) flaw: user-specific HTTP responses end up embedded into the rendered HTML payload (TransferState block), and when an upstream shared cache (CDN, reverse proxy, or server-side cache) stores that HTML keyed only by URL, requests from different users can collide on the same cached page.
RemediationAI
Vendor-released patches are available: upgrade @angular/common to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 depending on your major version, per advisory GHSA-q6f4-qqrg-jv6x and PR https://github.com/angular/angular/pull/67964. After patching, requests carrying a Cookie header or sent with withCredentials: true are excluded from HttpTransferCache by default, matching the existing exclusion for Authorization headers. If immediate upgrade is not possible, configure withHttpTransferCacheOptions to disable caching for sensitive endpoints, set includeRequestsWithAuthHeaders to false, or avoid issuing credentialed HTTP calls during SSR by deferring them to the client (trade-off: hydration benefits and time-to-content for authenticated views are reduced). Additionally, harden the downstream cache layer by adding Cache-Control: private, no-store for authenticated HTML responses or by varying cache keys on session cookies (trade-off: lower CDN hit rate for logged-in users). Vendor advisory: https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x; patch reference: https://github.com/angular/angular/pull/67964; additional context: https://www.herodevs.com/vulnerability-directory/cve-2026-50170.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38292
GHSA-q6f4-qqrg-jv6x