Angularのi18n脆弱性が悪意のあるコード実行を可能に
A high-severity security flaw has been discovered in Angular, one of the most popular web application frameworks. This vulnerability, tracked as CVE-2026-27970, affects the framework’s internationalization (i18n) pipeline.
脆弱性の概要
If exploited, it allows attackers to execute malicious code within an application, posing a significant risk to user data and application integrity. The issue lies in how Angular handles International Components for Unicode (ICU) messages. ICU messages are used to manage complex translations such as pluralization or gender-specific phrasing.
脆弱性の詳細
When Angular processes these messages, it fails to properly sanitize the HTML content within the translated text. This Cross-Site Scripting (XSS) vulnerability is rated High severity and requires attackers to first compromise translation files such as .xliff or .xtb files.
攻撃の影響
- Credential Exfiltration: Attackers can steal sensitive user information stored in the browser’s memory, LocalStorage, IndexedDB, or cookies and send it to an external server.
- Page Vandalism: Attackers can alter how the application looks or behaves, disrupting the intended user experience.
脆弱性の詳細情報
The vulnerability is detailed as follows:
- CVE ID: CVE-2026-27970
- Component: @angular/core
- Vulnerability Type: Cross-Site Scripting (XSS) (CWE-79)
- Severity: High
- Affected Versions: <= 18.2.14, >= 19.0.0-next.0 <= 19.2.18, >= 20.0.0-next.0 <= 20.3.16, >= 21.0.0-next.0 <= 21.1.5, >= 21.2.0-next.0 <= 21.2.0-rc.0
- Patched Versions: 19.2.19, 20.3.17, 21.1.6, 21.2.0
対策とワークアラウンド
To protect against this vulnerability, developers must ensure their Angular applications are updated to the patched versions. If immediate updating is not possible, several workarounds can mitigate the risk:
- Carefully review and verify all translated content received from third parties before integrating it into the application.
- Implement strict Content-Security Policy (CSP) controls to block unauthorized JavaScript execution.
- Enable Trusted Types in the browser to enforce proper HTML sanitization, providing a strong defense against XSS attacks even if malicious code is present in the translation files.