js · @angular/commonCritical
@angular/common HttpTransferCache hash collision fix
Angular's HttpTransferCache now uses SHA-256 instead of a weak 32-bit DJB2-like hash for cache keys, preventing hash collision attacks.
What changed
Angular's HttpTransferCache now uses SHA-256 instead of a weak 32-bit DJB2-like hash for cache keys, preventing hash collision attacks.
Who it affects
Applications using Angular SSR with HttpTransferCache, especially those with sensitive endpoints.
What to do today
Upgrade to Angular 22.0.1, 21.2.17, or 20.3.25 immediately, or apply workarounds by disabling transfer cache for sensitive endpoints or globally.
The trail
Collected→
Audited→
Written→
Published