fix(deps): update dependency @angular/common to v20.3.25 [security] by renovate[bot] · Pull Request #207 · p3ol/ngx-example

renovate · 2025-11-27T04:50:29Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	`20.2.0` → `20.3.25`

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

CVE-2025-66035 / GHSA-58c5-g7wp-6w37

More information

Details

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

The victim's Angular application must have XSRF protection enabled.
The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

19.2.16
20.3.14
21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Severity

CVSS Score: 7.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

CVE-2026-50170 / GHSA-q6f4-qqrg-jv6x

More information

Details

A vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState.

However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability.

Impact

Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when:

The SSR-rendered HTML containing the cached private data is stored in a shared cache (e.g., CDN, reverse proxy).
Subsequent requests for the same page receive the cached HTML containing the first user's private data.

Attack Preconditions

SSR and Hydration Enabled: The Angular application must be configured to use Server-Side Rendering and hydration (e.g., using provideClientHydration()).
Credentialed Requests during SSR: The application must perform HTTP requests that require user-specific authentication (using cookies or withCredentials: true) during the initial server-side render.
Shared Caching: The application's HTML responses must be cached by a shared caching layer (CDN, reverse proxy, or server-side cache) without proper cache-control headers to distinguish authenticated users.

Patches

22.0.0-rc.2
21.2.15
20.3.22
19.2.23

Severity

CVSS Score: 8.2 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

CVE-2026-50171 / GHSA-p3vc-36g9-x9gr

More information

Details

A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits.

When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.

Impact

Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):

Server-Side Rendering (SSR): In applications using SSR (e.g., @angular/ssr), an attacker can crash the Node.js server process due to a JavaScript heap out of memory error. This affects the availability of the application for all users.
Client-Side Rendering (CSR): In standard client-side applications, the unbounded loop will block the main thread, freezing the user's browser tab and making it unresponsive.

Attack Preconditions

For this vulnerability to be exploitable, the following conditions must be met:

Vulnerable Component Usage: The application must use Angular's number formatting utilities, such as the formatNumber function directly, or via template pipes (DecimalPipe, PercentPipe, CurrencyPipe).
Attacker-Controlled Parameter: The digitsInfo parameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). If digitsInfo is trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.

Patches

22.0.0-rc.2
21.2.15
20.3.22
19.2.23

Credits

This vulnerability was discovered and reported by CodeMender from Google DeepMind.

Severity

CVSS Score: 8.2 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning

CVE-2026-54266 / GHSA-39pv-4j6c-2g6v

More information

Details

Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters).

The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions.

An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache.

Impact

When the application attempts to retrieve the cached response for the sensitive endpoint (such as the user's profile), it receives the attacker-controlled response instead. This results in:

State Poisoning: The application runs with attacker-forged data, which can lead to bypassing client-side security controls or DOM-based Cross-Site Scripting (XSS) if the data is rendered unsafely.
Information Leakage: If the sensitive response is mistakenly associated with the attacker's search results and rendered on the page, the victim's sensitive data may be disclosed to the attacker.

Patched Versions

22.0.1
21.2.17
20.3.25

Framework-Level Fix

The logic has been updated to use a cryptographically secure SHA-256 hash algorithm for generating TransferState cache keys in HttpTransferCache. The cache keys are now 256-bit hexadecimal strings.

Workarounds

If you cannot upgrade immediately, configure your HttpClient requests to skip transfer caching for sensitive endpoints:

this.http.get('/api/user/profile', {
  transferCache: false
});

Alternatively, disable the HTTP transfer cache globally in your application bootstrap config:

import { provideClientHydration, withNoHttpTransferCache } from '@&#8203;angular/platform-browser';

export const appConfig = {
  providers: [
    provideClientHydration(
      withNoHttpTransferCache()
    )
  ]
};

Credits

This vulnerability was discovered and reported by CodeMender from Google DeepMind.

Severity

CVSS Score: 8.8 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)

CVE-2026-54268 / GHSA-48r7-hpm6-gfxm

More information

Details

A Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter.

When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).

Impact

1. Server-Side Rendering (SSR)

In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a JavaScript heap out of memory crash, rendering the application unavailable to all users.

2. Client-Side Rendering (CSR)

In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.

Patched Versions

22.0.1
21.2.17
20.3.25

Attack Preconditions

For this vulnerability to be exploitable, both of the following conditions must be met:

Vulnerable Component Usage: The application must format dates using the formatDate utility or the DatePipe.
Attacker-Controlled Parameter: The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses).

If the date format is hardcoded (e.g., 'mediumDate', 'shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.

Severity

CVSS Score: 8.2 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@angular/common)

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

Commit	Type	Description
768a349e6e	fix	harden TransferState restoration against DOM clobbering
ca48b4728d	fix	validate lowercase SVG animation attribute names (#69270)

Commit	Type	Description
06be298267	fix	preserve empty referrer option in HttpRequest
fa940e1f4d	fix	Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a	fix	skip transfer cache for fetch credentialed requests

Commit	Type	Description
49368c1859	fix	harden platform location origin validation during SSR
d55c94ad81	refactor	deprecate ServerXhr (#69256)

Commit	Type	Description
6ca433e56b	fix	throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f	fix	update domino to latest version

Commit	Type	Description
3d135ce59b	fix	add upper bounds for digitsInfo
39a4b4cc8e	fix	sanitize placeholder

Commit	Type	Description
8f35b182b1	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68926)
64a89e917a	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68926)
6404edfe0a	fix	strip namespaced SVG script elements during template compilation (#68926)

Commit	Type	Description
e345a58069	fix	normalize tag names in runtime i18n attribute security context lookup (#68926)
d86e4e7b2a	fix	reject script element as a dynamic component host (#68926)
af04936045	fix	sanitize meta selectors
dc631efa96	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68926)
909ef047b3	fix	synchronize core sanitization schema with compiler (#68926)

Commit	Type	Description
de7b2a62e7	fix	exclude withCredentials requests from transfer cache
4233188d8e	fix	skip TransferCache for cookie-bearing requests by default

Commit	Type	Description
5fdfd8a998	fix	preserve redirect policy on reconstructed asset requests
83b022f2d0	fix	Preserves explicit 'credentials: omit' in asset requests
e617fa06eb	fix	Preserves HTTP cache mode in asset group requests

Commit	Type	Description
f9d0818087	fix	support arbitrary nesting in :host-context()
106b9040df	fix	support commas in :host() argument
9419ea348a	fix	support complex selectors in :nth-child()
036c5d2a07	fix	support one additional level of nesting in :host()

Commit	Type	Description
4c89a267c3	fix	pass element removal property through in all locations (#64565)
2fad4d4ab6	fix	prevent duplicate nodes from being retained with fast `animate.leave`` calls (#64592)

Commit	Type	Description
cfd8ed3fff	fix	Fix outlet serialization and parsing with no primary children (#64505)
182fe78f91	fix	Surface parse errors in Router.parseUrl (#64503)

Commit	Type	Description
8dec92ff9f	fix	capture metadata for undecorated fields (#63957) (#64317)
c2e817b0ef	perf	fix performance of "interpolated signal not invoked" check (#64410)

Commit	Type	Description
a9bcffdbc7	fix	disallow event attribute bindings in host bindings unconditionally (#68468)
97eeb45cfa	fix	validate security-sensitive attributes in i18n bindings (#68468)

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

Commit	Type	Description
f15cfa4cc4	fix	fixes regression in `animate.leave` function bindings (#64413)
d54dd674ca	fix	Prevents early style pruning with leave animations (#64335)

Commit	Type	Description
554573e524	fix	migrating input with more than 1 usage in a method (#64367)
2c79ca0b57	fix	remove error for no matching files in control flow migration (#64253) (#64314)

Commit	Type	Description
853ed169a8	fix	ensure missing leave animations don't queue leave animations (#64226)
6fed986b7a	fix	Fixes animations in conjunction with content projection (#63776)
76fe5599fe	fix	handle undefined CSS time values in parseCssTimeUnitsToMs function (#64181)
3b959105be	fix	prevent early exit from leave animations when multiple transitions are present (#64225)

Conversation

renovate Bot commented Nov 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

Details

Impact

Attack Preconditions

Patches

Workarounds

Severity

References

@​angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

Details

Impact

Attack Preconditions

Patches

Severity

References

@​angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

Details

Impact

Attack Preconditions

Patches

Credits

Severity

References

@​angular/common: Weak 32-Bit Cache Key Hashing in HttpTransferCache Leading to Cross-Request Data Leakage and State Poisoning

Details

Impact

Patched Versions

Framework-Level Fix

Workarounds

Credits

Severity

References

@​angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)

Details

Impact

1. Server-Side Rendering (SSR)

2. Client-Side Rendering (CSR)

Patched Versions

Attack Preconditions

Severity

References

Release Notes

Deprecations

platform-server

common

compiler

core

http

platform-server

service-worker

platform-server

compiler

common

compiler

core

http

platform-server

service-worker

platform-server

core

platform-server

platform-server

compiler

core

Breaking Changes

core

core

core

compiler

http

common

compiler

core

compiler-cli

migrations

animations

compiler

renovate Bot commented Nov 27, 2025 •

edited

Loading

@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning

@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)