Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated input (PR:N), victim must load the SSR page (UI:R), XSS crosses into the browser security context (S:C) with limited confidentiality and integrity impact and no availability impact.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements.
When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element.
However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances.
The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS).
Impact
This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside a <noscript> element. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.
Patched Versions
- 22.0.0-rc.2
- 21.2.16
- 20.3.24
- 19.2.25
Workarounds
If you cannot immediately update your dependencies, you can:
- Avoid binding user-controlled values inside
<noscript>elements. - Sanitize any user input placed inside
<noscript>to explicitly strip closing</noscript>tags before passing it to the template.
AnalysisAI
Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a <noscript> element. The bundled domino DOM emulator omitted <noscript> from raw-text closing-tag escaping, so a </noscript> substring in dynamic content broke out of the element and ran an attacker-controlled <script> sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.
Technical ContextAI
@angular/platform-server is Angular's Server-Side Rendering (SSR) package, which uses the domino library as a server-side DOM implementation. Under SSR, domino runs with scripting enabled, which means HTML treats <noscript> as a raw-text element - its text content must be serialized with any internal </noscript> prefix escaped to </noscript, the same way <script>, <style>, <iframe>, etc. are handled. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) caused by domino's hasRawContent table omitting the NOSCRIPT entry in lib/NodeUtils.js, so the escapeMatchingClosingTag step was skipped entirely for <noscript> content. Affected CPE is pkg:npm/@angular/platform-server; the underlying fix lives in angular/domino PR #29 and also corrects a related UTF-16 offset bug where astral characters (emoji) preceding a closing tag could shift the escape position and re-introduce breakouts for other raw-text tags like <iframe> and <style>.
RemediationAI
Vendor-released patches: upgrade @angular/platform-server to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on your release line, per the Angular advisory at https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx (underlying domino fix in https://github.com/angular/domino/pull/29). If you cannot upgrade immediately, the vendor-supplied workarounds are to (a) stop binding user-controlled values inside <noscript> elements in any SSR template, and (b) where such bindings must remain, sanitize the input by stripping or escaping </noscript> substrings before passing the value to the template - note this only blunts the specific breakout vector and does not address the related astral-character offset bug also fixed in domino PR #29, which is why upgrading is preferred. Audit Angular templates for {{ value }} and [textContent] bindings inside <noscript> as the highest-priority review target.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38291
GHSA-gxx4-3xcv-f8qx