Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network delivery with no auth, but exploitation depends on the app binding untrusted input into id attributes and on hydration being enabled (AC:H); victim must load the page (UI:R); cache poisoning crosses into the API/auth trust boundary (S:C) yielding high C and I, no availability impact.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier:
<script type="application/json" id="ng-state">
{"some-api-url": {"body": ...}}
</script>During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content.
Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering.
If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) *before* the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.
During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.
Impact
By clobbering the state element, the attacker can inject a custom JSON payload into Angular's TransferState cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.
- The attacker injects a clobbered
ng-stateelement containing custom JSON. - The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice.
- During client-side initialization, Angular's
HttpClientchecksTransferStatebefore making requests. Finding the poisoned key,HttpClientreturns the forged response instantly instead of requesting the genuine backend API.
Depending on how the application processes and renders the affected API response, this can lead to:
- DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings.
- Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads.
- UI Hijacking and redirection by spoofing configuration endpoints.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Workarounds
If you cannot immediately update to a patched Angular version, apply the following workarounds:
A. Avoid Dynamic/User-Controlled IDs
Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:
<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>
<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>B. Configure a Custom Application ID
Declaring a unique, non-predictable APP_ID changes the ID suffix of the state element, making it harder for attackers to predict and target:
// app.config.ts
import { APP_ID } from '@angular/core';
import { provideClientHydration } from '@angular/platform-browser';
export const appConfig = {
providers: [
{ provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
provideClientHydration()
]
};
This changes the state element lookup ID from ng-state to unique-obfuscated-app-id-state.
AnalysisAI
DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.
Technical ContextAI
Angular's SSR hydration mechanism serializes runtime state - including cached HttpClient responses - into an inline <script type="application/json" id="ng-state"> tag, which the client retrieves at bootstrap via document.getElementById('ng-state'). Because the lookup relies solely on a static, predictable ID, it is vulnerable to DOM Clobbering (CWE-79 manifesting via DOM property collision): any earlier element in the DOM tree carrying id="ng-state" - including ones produced by binding untrusted user/CMS content to [id] - wins the getElementById lookup. The upstream fix in PR #69064 adds a tagName === 'SCRIPT' guard in retrieveTransferredState so non-<script> clobbering nodes are ignored. The CPE data confirms the affected package is the npm distribution pkg:npm/@angular/core.
RemediationAI
Vendor-released patch: upgrade @angular/core to 22.0.1, 21.2.17, or 20.3.25 depending on your release line, as documented in GHSA-rgjc-h3x7-9mwg (https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg) and merged in PR https://github.com/angular/angular/pull/69064. If immediate upgrade is not feasible, apply the vendor-recommended workarounds: avoid binding raw user- or CMS-supplied values to the [id] attribute and instead prepend a static safe prefix such as 'safe-prefix-' before concatenating untrusted input, and configure a unique non-predictable APP_ID (e.g. provide APP_ID with a long random string) so the state element ID becomes '<obfuscated>-state' rather than the well-known 'ng-state' - note the latter is obfuscation, not a structural fix, and is bypassable if an attacker can enumerate or leak the APP_ID. Both workarounds require auditing every template and CMS pipeline that influences id attributes, which can be invasive in large content-driven apps.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38271
GHSA-rgjc-h3x7-9mwg