GHSA-HQR9-C56F-3X7F

Vulnerability from github – Published: 2026-06-15 17:20 – Updated: 2026-06-15 17:20
VLAI
Summary
@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details

A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of raw-text elements (such as <script>, <style>, and <iframe>).

domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic.

In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters—such as emojis—occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. </script>, </style>, or </iframe>), the index offset calculation in domino's replacement logic shifted.

This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML.

An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., 😀</iframe><script>alert(1)</script>). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS).

Impact

This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside raw-text elements. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.

Patched Versions

  • 22.0.0-rc.2
  • 21.2.16
  • 20.3.24
  • 19.2.25

Workarounds

If you cannot immediately update your dependencies, you can:

  • Avoid binding user-controlled values inside <iframe> or other raw-text elements.
  • Sanitize any user input placed inside raw-text elements to explicitly strip closing tags before passing it to the template.
Severity
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-rc.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "18.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:20:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`\u0027s DOM emulation dependency (`domino`) when serializing the content of raw-text elements (such as `\u003cscript\u003e`, `\u003cstyle\u003e`, and `\u003ciframe\u003e`).\n\n`domino` supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a **Unicode index alignment bug** existed in this escaping logic.\n\nIn JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters\u2014such as emojis\u2014occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters _before_ the closing tag (e.g. `\u003c/script\u003e`, `\u003c/style\u003e`, or `\u003c/iframe\u003e`), the index offset calculation in `domino`\u0027s replacement logic shifted.\n\nThis misalignment caused `domino` to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML.\n\nAn attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., `\ud83d\ude00\u003c/iframe\u003e\u003cscript\u003ealert(1)\u003c/script\u003e`). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent `\u003cscript\u003e` block, leading to same-origin Cross-Site Scripting (XSS).\n\n### Impact\n\nThis vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside raw-text elements. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.\n\n### Patched Versions\n\n- 22.0.0-rc.2\n- 21.2.16\n- 20.3.24\n- 19.2.25\n\n### Workarounds\n\nIf you cannot immediately update your dependencies, you can:\n\n- Avoid binding user-controlled values inside `\u003ciframe\u003e` or other raw-text elements.\n- Sanitize any user input placed inside raw-text elements to explicitly strip closing tags before passing it to the template.",
  "id": "GHSA-hqr9-c56f-3x7f",
  "modified": "2026-06-15T17:20:30Z",
  "published": "2026-06-15T17:20:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/domino/pull/29"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@angular/platform-server: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.