chore(deps): update dependency @angular/common to v21.2.17 [security]#609
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @angular/common to v21.2.17 [security]#609renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
added
dependencies
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
21.2.10→21.2.17@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
CVE-2026-50170 / GHSA-q6f4-qqrg-jv6x
More information
Details
A vulnerability was discovered in
@angular/commonwhen Server-Side Rendering (SSR) and hydration are enabled. TheHttpTransferCacheutility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application viaTransferState.However, the caching mechanism fails to inspect the
withCredentialsflag or theCookieheader of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the sharedTransferStatepayload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability.Impact
Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when:
Attack Preconditions
provideClientHydration()).withCredentials: true) during the initial server-side render.Patches
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
CVE-2026-50171 / GHSA-p3vc-36g9-x9gr
More information
Details
A Denial of Service (DoS) vulnerability exists in the
@angular/commonpackage of Angular. TheformatNumberfunction, which is also utilized byDecimalPipe,PercentPipe, andCurrencyPipe, does not properly validate the upper bounds of thedigitsInfoparameter. Specifically, the minimum and maximum fraction digits parsed from thedigitsInfostring (e.g.,1.2-4) are converted to integers and used without limits.When parsing a maliciously crafted
digitsInfostring with excessively large fraction digit values (e.g.,1.200000000-200000000), the internalroundNumberfunction attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.Impact
Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):
@angular/ssr), an attacker can crash the Node.js server process due to aJavaScript heap out of memoryerror. This affects the availability of the application for all users.Attack Preconditions
For this vulnerability to be exploitable, the following conditions must be met:
formatNumberfunction directly, or via template pipes (DecimalPipe,PercentPipe,CurrencyPipe).digitsInfoparameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). IfdigitsInfois trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.Patches
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
CVE-2026-54268 / GHSA-48r7-hpm6-gfxm
More information
Details
A Denial of Service (DoS) vulnerability exists in the
@angular/commonpackage of the Angular framework. TheformatDatefunction, which is also utilized by the standard AngularDatePipe, does not properly limit or validate the length of theformatparameter.When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).
Impact
1. Server-Side Rendering (SSR)
In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a
JavaScript heap out of memorycrash, rendering the application unavailable to all users.2. Client-Side Rendering (CSR)
In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.
Patched Versions
Attack Preconditions
For this vulnerability to be exploitable, both of the following conditions must be met:
formatDateutility or theDatePipe.If the date format is hardcoded (e.g.,
'mediumDate','shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@angular/common: Weak 32-Bit Cache Key Hashing in
HttpTransferCacheLeading to Cross-Request Data Leakage and State PoisoningCVE-2026-54266 / GHSA-39pv-4j6c-2g6v
More information
Details
Angular's
HttpTransferCachecaches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored inTransferStateusing a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters).The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions.
An attacker can easily find a query parameter string (e.g.,
q=aaCAZMMMfor a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g.,/api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in theTransferStatecache.Impact
When the application attempts to retrieve the cached response for the sensitive endpoint (such as the user's profile), it receives the attacker-controlled response instead. This results in:
Patched Versions
Framework-Level Fix
The logic has been updated to use a cryptographically secure SHA-256 hash algorithm for generating
TransferStatecache keys inHttpTransferCache. The cache keys are now 256-bit hexadecimal strings.Workarounds
If you cannot upgrade immediately, configure your
HttpClientrequests to skip transfer caching for sensitive endpoints:Alternatively, disable the HTTP transfer cache globally in your application bootstrap config:
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
angular/angular (@angular/common)
v21.2.17Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.common
compiler
core
http
platform-server
service-worker
v21.2.16Compare Source
v21.2.15Compare Source
common
compiler
core
http
platform-server
service-worker
v21.2.14Compare Source
compiler
core
router
v21.2.13Compare Source
core
platform-server
allowedHostsoption torenderModuleandrenderApplicationv21.2.12Compare Source
core
forms
v21.2.11Compare Source
common
compiler
core
platform-server
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.