Security Advisory - Published 2026-06-22 - Node.js / Angular
Angular, piscina, and http-proxy-middleware: check developer and runtime exposure
This batch spans developer workstations and production Node services. Check the Angular VS Code extension, Angular package versions, worker-pool dependencies, and proxy router rules before assuming the risk is limited to a lockfile entry.
Affected packages
| CVE | Product | Affected / fixed | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-49241 | Angular Language Service | < 21.2.4 | Upgrade the VS Code Angular Language Service extension to 21.2.4 or newer and review untrusted workspace handling | 8.7 |
| CVE-2026-54268 | @angular/common | 22.0.1 / 21.2.17 / 20.3.25 | Upgrade Angular to 22.0.1, 21.2.17, or 20.3.25 and review user-controlled date formats | 8.2 |
| CVE-2026-55388 | piscina | 5.2.0 / 4.9.3 / 6.0.0-rc.2 | Upgrade piscina to 5.2.0, 4.9.3, or 6.0.0-rc.2 and review prototype pollution exposure | 8.1 |
| CVE-2026-55602 | http-proxy-middleware | 2.0.10 / 3.0.6 / 4.1.0 | Upgrade http-proxy-middleware to 2.0.10, 3.0.6, or 4.1.0 and review host+path router rules | 6.9 |
Owner self-check
node -p "process.version" 2>/dev/null
grep -Rni '"@angular/common"\\|"@angular/language-service"\\|"piscina"\\|"http-proxy-middleware"' package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
code --list-extensions --show-versions 2>/dev/null | grep -i 'angular.ng-template'
grep -Rni 'formatDate\\|DatePipe\\|new Piscina\\|createProxyMiddleware\\|router:' src server app 2>/dev/null | head -120What to review
- Developer machines with Angular Language Service before 21.2.4, especially users who open external repositories.
- Angular SSR routes or APIs where user preferences, query data, or database fields can influence date formats.
- Node services using piscina worker pools together with dependencies that have prototype-pollution history.
- http-proxy-middleware router tables using host plus path selectors. Confirm intended backend routing after patching.
Safe fix path
- Upgrade Angular Language Service to 21.2.4 or newer on developer workstations.
- Upgrade @angular/common to 22.0.1, 21.2.17, or 20.3.25 where those major lines are used.
- Upgrade piscina to 5.2.0, 4.9.3, or 6.0.0-rc.2 depending on the deployed line.
- Upgrade http-proxy-middleware to 2.0.10, 3.0.6, or 4.1.0 and recheck proxy routing tests.
- Preserve deployment logs, worker crash logs, and proxy access logs before rotating secrets or rebuilding containers.
Repair help
Use Ping7 CVE Repair when an Angular SSR app is public, proxy routing reaches sensitive backends, worker process logs look unusual, or a developer opened untrusted code with the affected extension installed.