Skip to content

CVE-2026-50170 (High) detected in common-12.2.5.tgz #132

Description

@mend-for-github-com

CVE-2026-50170 - High Severity Vulnerability

Vulnerable Library - common-12.2.5.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-12.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • common-12.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in "@⁠angular/common" when Server-Side Rendering (SSR) and hydration are enabled. The "HttpTransferCache" utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via "TransferState". However, the caching mechanism fails to inspect the "withCredentials" flag or the "Cookie" header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared "TransferState" payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. Impact Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when: * The SSR-rendered HTML containing the cached private data is stored in a shared cache (e.g., CDN, reverse proxy). * Subsequent requests for the same page receive the cached HTML containing the first user's private data. Attack Preconditions * SSR and Hydration Enabled: The Angular application must be configured to use Server-Side Rendering and hydration (e.g., using "provideClientHydration()"). * Credentialed Requests during SSR: The application must perform HTTP requests that require user-specific authentication (using cookies or "withCredentials: true") during the initial server-side render. * Shared Caching: The application's HTML responses must be cached by a shared caching layer (CDN, reverse proxy, or server-side cache) without proper cache-control headers to distinguish authenticated users. Patches - 22.0.0-rc.2 - 21.2.15 - 20.3.22 - 19.2.23

Publish Date: 2026-06-15

URL: CVE-2026-50170

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q6f4-qqrg-jv6x

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v19.2.23,https://github.com/angular/angular.git - v20.3.22


  • Check this box to open an automated fix PR

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions