Listen to this Post
The vulnerability exists in Angular’s Server-Side Rendering (SSR) and hydration mechanism when the `HttpTransferCache` utility is enabled. During SSR, this utility caches outgoing HTTP responses to speed up client‑side hydration by replaying them. However, the caching logic does not inspect the `withCredentials` flag or the `Cookie` header of outgoing requests. As a result, any response that requires user‑specific credentials (e.g., session cookies) is cached by default and placed into the shared `TransferState` payload. This payload is then serialized into the HTML that is sent to the client. If the HTML is stored in a shared caching layer (such as a CDN, reverse proxy, or shared server cache), the first user’s private data can be inadvertently delivered to other users who request the same URL, leading to a high‑severity information disclosure.
DailyCVE Form:
Platform: Angular SSR Version: 19.0.0‑19.2.22, 20.0.0‑20.3.21, 21.0.0‑21.2.14 Vulnerability: Information Disclosure Severity: High date: May 29, 2026 Prediction: Already patched (May 29, 2026)
What Undercode Say
Check your Angular version and update the vulnerable `@angular/common` package:
Check current Angular version ng version If using npm, update @angular/common to the patched version npm install @angular/[email protected] or for other affected lines: npm install @angular/[email protected] npm install @angular/[email protected]
Optionally, disable the HTTP transfer cache for credentialed requests by configuring `provideClientHydration()` with the withHttpTransferCacheOptions:
import { provideClientHydration, withHttpTransferCacheOptions } from '@angular/platform-browser';
// In your app.config.ts
export const appConfig: ApplicationConfig = {
providers: [
provideClientHydration(
withHttpTransferCacheOptions({
includeRequestsWithAuthHeaders: false,
includeCookies: false
})
)
]
};
Exploit
- An attacker triggers an initial request that causes the SSR to perform a credentialed HTTP request (e.g., fetching user‑specific data with `withCredentials: true` or a `Cookie` header).
- The `HttpTransferCache` caches the response (including the sensitive user data) and stores it in the `TransferState` payload.
- The HTML containing the cached user data is delivered to the client and may be stored by a shared caching layer (CDN, reverse proxy, etc.).
- Another user requests the same URL and receives the cached HTML, which includes the first user’s private data.
No special privileges or user interaction are required; the vulnerability can be exploited in high‑traffic applications where shared caches are used.
Protection
- Upgrade immediately to one of the patched versions:
- 22.0.0‑rc.2
- 21.2.15
- 20.3.22
- 19.2.23
- If upgrading is not immediately possible, disable the HTTP transfer cache for credentialed requests by configuring `provideClientHydration()` as shown above.
- Avoid storing SSR‑generated HTML in shared caches unless proper cache‑control headers differentiate authenticated sessions (e.g.,
Cache-Control: private). - Monitor your CDN and reverse proxy logs for signs of cross‑user cache contamination.
Impact
Successful exploitation allows an unauthenticated attacker to obtain sensitive, user‑specific information of other authenticated users. This can lead to:
– Exposure of session tokens, personal data, or financial information.
– Account takeover if session cookies are leaked.
– Violation of data protection regulations (e.g., GDPR, HIPAA).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
