Executive Summary

This vulnerability exists in Angular's @angular/common package when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility caches outgoing HTTP requests performed during SSR and transfers the cached state to the client-side application. However, it fails to check if these requests include credentials such as cookies or the withCredentials flag.

Because of this, user-specific, credentialed responses may be cached by default in a shared TransferState payload. When this cached data is serialized into the SSR-rendered HTML and stored in shared caches like CDNs or reverse proxies, it can lead to the leakage of one user's private data to other users.

This is a high-severity information disclosure vulnerability that was fixed in Angular versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unintended exposure of sensitive, user-specific data to unauthorized users. If your application uses Angular with SSR and hydration enabled, and makes credentialed HTTP requests during SSR, the cached responses containing private information might be stored in shared caches such as CDNs or reverse proxies.

As a result, other users could access this cached SSR-rendered HTML and see private data that does not belong to them, causing a serious breach of confidentiality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if your Angular application uses Server-Side Rendering (SSR) with hydration enabled and if the HttpTransferCache utility is caching HTTP requests that include credentials such as cookies or the withCredentials flag.

To detect this on your system or network, you can check the Angular version in use to see if it is prior to the patched versions (22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23). Additionally, inspect HTTP requests during SSR to see if credentialed requests are being cached and if SSR-rendered HTML pages are being cached by shared caches like CDNs or reverse proxies.

Suggested commands include:

• Use network monitoring tools (e.g., curl, wget, or browser developer tools) to capture HTTP requests and responses during SSR and check for Set-Cookie headers or requests sent with the withCredentials flag.
• Check Angular package version with a command like `npm list @angular/common` or `ng version` in your project directory.
• Inspect cached SSR HTML pages on your CDN or reverse proxy to see if they contain user-specific data or cookies.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Angular to a patched version where this vulnerability is fixed, specifically versions 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.

Additionally, ensure that your SSR setup does not cache credentialed HTTP requests by disabling caching of requests that include cookies or the withCredentials flag.

Configure your caching layers such as CDNs, reverse proxies, or shared server caches to respect cache-control headers and avoid caching SSR-rendered HTML pages that may contain sensitive user-specific data.

Review and apply the fix introduced in Angular's HttpTransferCache mechanism that prevents caching of credentialed requests by default.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can lead to the inadvertent caching and exposure of user-specific private data to unauthorized users due to the caching of credentialed HTTP responses in shared caches. Such unauthorized disclosure of personal or sensitive information may violate data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls on the confidentiality and security of personal data.

Specifically, the leakage of private user data through shared caches could be considered a breach of confidentiality obligations, potentially resulting in non-compliance with these regulations. Organizations using affected Angular versions with Server-Side Rendering and hydration enabled should apply the available patches to mitigate this risk and maintain compliance.

Useful 0 Not Useful 0