AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-39pv-4j6c-2g6v: @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning

highvulnerability

security

Source: GitHub Advisory DatabaseJune 15, 2026CVE-2026-54266

Summary

Angular's `HttpTransferCache` uses a weak 32-bit hash function to cache HTTP responses during server-side rendering (SSR, where a web server generates HTML before sending it to the browser), making it vulnerable to hash collisions (when two different inputs produce the same output). An attacker can craft a malicious link that causes a sensitive response (like user profile data) to be overwritten with attacker-controlled data, leading to state poisoning (corrupting the application's data) or information leakage.

Solution / Mitigation

Update Angular to patched versions 22.0.1, 21.2.17, or 20.3.25, which now use SHA-256 (a cryptographically secure hashing algorithm) instead of the weak 32-bit hash. If you cannot upgrade immediately, either disable transfer caching for sensitive endpoints by adding `transferCache: false` to individual `HttpClient` requests, or disable HTTP transfer caching globally using `provideClientHydration(withNoHttpTransferCache())` in your app configuration.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 15, 2026

Classification

Attack SophisticationModerate

Affected Packages

@angular/common@<= 19.2.25@angular/common@>= 20.0.0-next.0, < 20.3.25 (fixed: 20.3.25)@angular/common@>= 21.0.0-next.0, < 21.2.17 (fixed: 21.2.17)@angular/common@>= 22.0.0-next.0, < 22.0.1 (fixed: 22.0.1)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-39pv-4j6c-2g6v

First tracked: June 15, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%