CVE-2026-54267
Received Received - Intake
DOM Clobbering in Angular SSR via ng-state

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54267
EUVD
EUVD-2026-38271
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular angular to 20.3.25 (inc)
angular angular to 21.2.17 (inc)
angular angular to 22.0.1 (inc)
angular angular From 19.2.25 (inc) to 20.3.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-471 The product does not properly protect an assumed-immutable element from being modified by an attacker.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54267 is a DOM clobbering vulnerability in Angular's client-side hydration mechanism used during Server-Side Rendering (SSR). Angular serializes runtime state, including cached HTTP responses, into a <script> tag with a predictable ID 'ng-state'. An attacker can inject a malicious element with the same ID before the legitimate script tag is parsed, causing Angular to parse attacker-controlled content as JSON during hydration. This allows the attacker to poison the TransferState cache, potentially manipulating API responses.

Compliance Impact

CVE-2026-54267 allows an attacker to perform DOM-based Cross-Site Scripting (XSS), privilege escalation, UI hijacking, and redirection by poisoning the TransferState cache in Angular applications. Such security issues can lead to unauthorized access to sensitive data or manipulation of application behavior.

These impacts can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure application security to prevent data breaches.

Therefore, if an Angular application vulnerable to this issue processes or handles regulated personal data, failure to patch or mitigate this vulnerability could result in non-compliance with these standards due to increased risk of data exposure or compromise.

Impact Analysis

This vulnerability can lead to several serious impacts including DOM-based Cross-Site Scripting (XSS), privilege escalation, UI hijacking, and redirection attacks. By poisoning the TransferState cache, an attacker can forge API responses that the application trusts, potentially manipulating the application's behavior or stealing sensitive information.

Detection Guidance

This vulnerability involves DOM Clobbering in Angular's hydration process where an attacker can inject elements with the ID 'ng-state' to spoof the TransferState cache. Detection involves checking if any elements other than the legitimate <script> tag with ID 'ng-state' exist in the DOM, especially those bound to untrusted user input or CMS content.

Since the vulnerability is related to client-side DOM manipulation, detection commands would focus on inspecting the DOM structure in the browser or scanning application source code for unsafe bindings to the 'id' attribute.

  • Use browser developer tools to inspect the DOM for multiple elements with the ID 'ng-state' or non-script elements with this ID.
  • Run automated scans or scripts to detect if user input is bound to element IDs, especially 'ng-state'.
  • In a testing environment, use JavaScript commands in the browser console such as: document.querySelectorAll('#ng-state') to see how many elements have this ID and verify their tag names.
  • Check server-side rendered HTML output for unexpected elements with ID 'ng-state' before the legitimate <script> tag.
Mitigation Strategies

The primary mitigation is to update Angular to a patched version: 22.0.1, 21.2.17, or 20.3.25, where the vulnerability is fixed.

If immediate upgrading is not possible, apply workarounds such as avoiding binding untrusted user input or CMS content to element IDs, especially the 'ng-state' ID.

Another mitigation is to configure a custom application ID to make the state element ID unpredictable, preventing attackers from targeting a predictable ID.

The fix ensures that only <script> elements with the correct ID are processed during hydration, so verifying that your application uses updated Angular code that performs this check is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart