Angular Client Hydration DOM Clobbering & Response-Cache Poisoning — CVE-2026-54267
GitHub · GitHub · CVE-2026-54267
ID
CVE-2026-54267
CVE-2026-54267
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.6
8.6
EPSS
0.00054
0.00054
Summary
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application's runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream as a `<script>` tag with a predictable identifier: ```html <script type="application/json" id="ng-state"> {"some-api-url": {"body": ...}}…
Product
npm: @angular/core
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.