FKIE_CVE-2025-59052

Vulnerability from fkie_nvd - Published: 2025-09-10 21:15 - Updated: 2025-09-11 17:14
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
References
security-advisories@github.comhttps://github.com/angular/angular-cli/pull/31108
security-advisories@github.comhttps://github.com/angular/angular/pull/63562
security-advisories@github.comhttps://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the \"platform injector\") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes.\nThe issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false."
    },
    {
      "lang": "es",
      "value": "Angular es una plataforma de desarrollo para construir aplicaciones web m\u00f3viles y de escritorio usando TypeScript/JavaScript y otros lenguajes. Angular usa un contenedor DI (el \u0027inyector de plataforma\u0027) para mantener el estado espec\u00edfico de la solicitud durante la renderizaci\u00f3n del lado del servidor. Por razones hist\u00f3ricas, el contenedor se almacenaba como una variable global con alcance de m\u00f3dulo de JavaScript. Cuando se procesan m\u00faltiples solicitudes concurrentemente, estas podr\u00edan compartir o sobrescribir inadvertidamente el estado global del inyector. En t\u00e9rminos pr\u00e1cticos, esto puede llevar a que una solicitud responda con datos destinados a una solicitud completamente diferente, filtrando datos o tokens incluidos en la p\u00e1gina renderizada o en los encabezados de respuesta. Mientras un atacante tuviera acceso a la red para enviar cualquier tr\u00e1fico que recibiera una respuesta renderizada, podr\u00eda haber sido capaz de enviar un gran n\u00famero de solicitudes y luego inspeccionar las respuestas en busca de fugas de informaci\u00f3n. Las APIs \u0027bootstrapApplication\u0027, \u0027getPlatform\u0027 y \u0027destroyPlatform\u0027 eran vulnerables y requer\u00edan cambios disruptivos solo para SSR.\nEl problema ha sido parcheado en todas las l\u00edneas de lanzamiento activas, as\u00ed como en la versi\u00f3n preliminar v21. Los paquetes parcheados incluyen \u0027@angular/platform-server\u0027 21.0.0-next.3, 20.3.0, 19.2.15 y 18.2.14 y \u0027@angular/ssr\u0027 21.0.0-next.3, 20.3.0, 19.2.16 y 18.2.21. Varias soluciones alternativas est\u00e1n disponibles. Deshabilite SSR a trav\u00e9s de Rutas del Servidor u opciones del constructor, elimine cualquier comportamiento as\u00edncrono de las funciones \u0027bootstrap\u0027 personalizadas, elimine los usos de \u0027getPlatform()\u0027 en el c\u00f3digo de la aplicaci\u00f3n, y/o aseg\u00farese de que la compilaci\u00f3n del servidor defina \u0027ngJitMode\u0027 como falso."
    }
  ],
  "id": "CVE-2025-59052",
  "lastModified": "2025-09-11T17:14:10.147",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-10T21:15:37.283",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/pull/31108"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular/pull/63562"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.