Skip to content

chore(deps): update dependency @angular/core to v21.2.17 [security]#608

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-angular-core-vulnerability
Open

chore(deps): update dependency @angular/core to v21.2.17 [security]#608
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-angular-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@angular/core (source) 21.2.1021.2.17 age confidence

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg

More information

Details

To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier:

<script type="application/json" id="ng-state">
    {"some-api-url": {"body": ...}}
</script>

During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content.

Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering.

If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.

During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.

Impact

By clobbering the state element, the attacker can inject a custom JSON payload into Angular's TransferState cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.

  1. The attacker injects a clobbered ng-state element containing custom JSON.
  2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice.
  3. During client-side initialization, Angular's HttpClient checks TransferState before making requests. Finding the poisoned key, HttpClient returns the forged response instantly instead of requesting the genuine backend API.

Depending on how the application processes and renders the affected API response, this can lead to:

  • DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings.
  • Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads.
  • UI Hijacking and redirection by spoofing configuration endpoints.
Patched Versions
  • 22.0.1
  • 21.2.17
  • 20.3.25
Workarounds

If you cannot immediately update to a patched Angular version, apply the following workarounds:

A. Avoid Dynamic/User-Controlled IDs

Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:

<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>

<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>
B. Configure a Custom Application ID

Declaring a unique, non-predictable APP_ID changes the ID suffix of the state element, making it harder for attackers to predict and target:

// app.config.ts

import { APP_ID } from '@&#8203;angular/core';
import { provideClientHydration } from '@&#8203;angular/platform-browser';

export const appConfig = {
  providers: [
    { provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
    provideClientHydration()
  ]
};

This changes the state element lookup ID from ng-state to unique-obfuscated-app-id-state.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@​angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

CVE-2026-52725 / GHSA-692r-grfm-v8x7

More information

Details

An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation.

Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts.

This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that registers dynamic components based on user-supplied parameters (like selectors or host elements) is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to mount a dynamic component on a script tag, bypassing core dynamic component creation safeguards to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist:

  1. User-Controlled Host Selection: The application must accept user-controlled inputs that are passed as a selector/host element to createComponent.
  2. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the dynamic creation APIs.
Patches
  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Angular: Template and Attribute Namespace Sanitization Bypass (XSS)

CVE-2026-50557 / GHSA-f3m7-gqxr-g87x

More information

Details

An issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds.

Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped.

Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers.

Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that compiles user-controlled templates at runtime, or relies on sanitization of namespaced elements/attributes, is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to inject a namespaced script element or dynamic attribute bindings, bypassing core sanitization constraints to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist:

  1. User-Controlled Template Input: The application must accept user-controlled inputs that are directly processed by the Angular template compiler at runtime.
  2. Namespace Parsing Support: The input structure must employ custom namespace prefixes (such as <svg:script>) to evade standard tag-name blocklists/checks.
  3. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the Angular compiler.
Patches
  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@​angular/core)

v21.2.17

Compare Source

Deprecations

platform-server
  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
common
Commit Type Description
86a56dc279 fix Limits date format string length
d846326b07 fix skip transfer cache for uncacheable HTTP traffic
bc55749698 fix use cryptographically secure SHA-256 for transfer cache key generation
compiler
Commit Type Description
dc9c99636d fix sanitize two-way properties
core
Commit Type Description
1523061137 fix harden TransferState restoration against DOM clobbering
88832c84f8 fix validate lowercase SVG animation attribute names (#​69269)
http
Commit Type Description
bcb1b7ea25 fix preserve empty referrer option in HttpRequest
a810a319d1 fix Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d fix skip transfer cache for fetch credentialed requests
platform-server
Commit Type Description
35510746b7 fix harden platform location origin validation during SSR
13fb0afe93 refactor deprecate ServerXhr (#​69255)
service-worker
Commit Type Description
b9d29381bb fix Strips sensitive headers on cross-origin redirects

v21.2.16

Compare Source

common
Commit Type Description
f6d8e642b0 fix only strip a literal /index.html suffix from URLs
compiler
Commit Type Description
ae1c8a1f7a fix move projection attributes into constants
core
Commit Type Description
3fd6897a67 fix harden inherit definition feature against polluted prototypes
7e38336dc7 fix use Object.create(null) for LOCALE_DATA as a hardening measure
platform-server
Commit Type Description
66821c4ed5 fix throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6 fix update domino to latest version

v21.2.15

Compare Source

common
Commit Type Description
7f4ac78994 fix add upper bounds for digitsInfo
300f61feb3 fix sanitize placeholder
compiler
Commit Type Description
0b07f47bd6 fix normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68925)
eb1cbbf2eb fix prevent namespaced SVG <style> elements from being stripped
cc1378d54b fix sanitize dynamic href and xlink:href bindings on SVG a elements (#​68925)
782e01594e fix strip namespaced SVG script elements during template compilation (#​68925)
core
Commit Type Description
ff12fe55ac fix normalize tag names in runtime i18n attribute security context lookup (#​68925)
e6fe77cc97 fix sanitize meta selectors
daaf32937f fix support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68925)
dada86e43d fix synchronize core sanitization schema with compiler (#​68925)
http
Commit Type Description
582a417bd2 fix exclude withCredentials requests from transfer cache
5c6d6df34b fix skip TransferCache for cookie-bearing requests by default
platform-server
Commit Type Description
37e8aadf87 fix prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e fix secure location and document initialization against SSRF and path hijack
service-worker
Commit Type Description
b8bd49341d fix Preserves explicit 'credentials: omit' in asset requests
ca32fc1000 fix Preserves HTTP cache mode in asset group requests

v21.2.14

Compare Source

compiler
Commit Type Description
68282dff9f fix strip namespaced SVG script elements during template compilation
core
Commit Type Description
c0f52272ed fix do not insert todo when migrating void @​Output
938a7f3edd fix makes resource URL sanitizer lookup case-insensitive
0fb2724194 fix reject script element as a dynamic component host
49113ac0ef fix visit ICU expressions in signal migration schematics
router
Commit Type Description
099bf577ee fix skip scroll-to-top on initial navigation when hydrating

v21.2.13

Compare Source

core
Commit Type Description
1c6553e97d fix disallow event attribute bindings in host bindings unconditionally
platform-server
Commit Type Description
629905d537 fix add allowedHosts option to renderModule and renderApplication
0b7192f441 fix forward BEFORE_APP_SERIALIZED errors to ErrorHandler

v21.2.12

Compare Source

core
Commit Type Description
fe13bb669d fix allow explicit read generic with signal input transforms
3430251fef fix i18n flags leaking on errors
1aeebbe304 fix respect ngSkipHydration on components with projectable nodes in LContainers
9e38ed7d57 fix sanitizer typings
7a05a9a71a fix validate security-sensitive attributes in i18n bindings
c37f6ca42f fix visit ng-let expression value in signal migration schematics
forms
Commit Type Description
03ad53863b fix prohibit concurrent submits in signal forms

v21.2.11

Compare Source

common
Commit Type Description
10ad3c0692 fix prevent focus from scrollToAnchor
compiler
Commit Type Description
4f5d8a2c0b fix let declaration span not including end character
core
Commit Type Description
a40e2cebc8 fix fix ordering of view queries metadata in JIT mode
885a1a1d97 fix guard against non-object events and avoid listener wrapper identity mismatch
7a64aff9b5 fix prevent event replay double-invocation when element hydrates before app stability
platform-server
Commit Type Description
be1f80a253 fix ensure origin has a trailing slash when parsing url

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jun 15, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants