Use of Weak Hash Affecting @angular/common package, versions <20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (1st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use of Weak Hash vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-ANGULARCOMMON-17356555
  • published17 Jun 2026
  • disclosed15 Jun 2026
  • creditCodeMender from Google DeepMind

Introduced: 15 Jun 2026

NewCVE-2026-54266  (opens in a new tab)
CWE-328  (opens in a new tab)

How to fix?

Upgrade @angular/common to version 20.3.25, 21.2.17, 22.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Use of Weak Hash due to the use of a weak 32-bit hash in the HttpTransferCache. When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache.

Workaround

This vulnerability can be mitigated by configuring HTTP requests to skip transfer caching for sensitive endpoints or by disabling the HTTP transfer cache globally in the application bootstrap configuration.

CVSS Base Scores

version 4.0
version 3.1