CVE-2026-54267
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A Resource Injection vulnerability (CVE-2026-54267) has been identified in the @angular/core package where the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), making it susceptible to DOM Clobbering.
Per OWASP, this vulnerability falls under Resource Injection. Resource Injection occurs when an application incorporates untrusted input into the loading or referencing of external resources without proper validation or restrictions. An attacker may manipulate the resource reference to load unintended content, potentially resulting in the execution of malicious code, unauthorized access to resources, or other unintended application behavior when the affected component processes the injected resource.
This issue affects multiple versions of Angular.
Details
Module Info
- Product: Angular
- Affected packages: @angular/core
- Affected versions:
- >= 22.0.0-next.0 < 22.0.1
- >= 21.0.0-next.0 < 21.2.17
- >= 20.0.0-next.0 < 20.3.25
- <= 19.2.25
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/core
- Package manager: npm
- Fixed in:
- OSS Angular v22.0.1, v21.2.17, v20.3.25
Vulnerability Info
This High-severity vulnerability is found in the @angular/core package in multiple published versions of Angular.
During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content.
Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering.
If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.
During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.
Mitigation
Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a patched version of Angular.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.