CVE-2025-59052

EPSS 0.05%
Published 10.09.2025 20:13:56
Last modified 11.09.2025 17:14:10
Source security-advisories@github.com
Teams watchlist Login
Open Login

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes.
The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Vendorangular

≫

Product angular

Version @angular/platform-server >= 16.0.0-next.0, < 18.2.14

Status affected

Version @angular/platform-server >= 20.0.0-next.0, < 20.3.0

Status affected

Version @angular/platform-server >= 19.0.0-next.0, < 19.2.15

Status affected

Version @angular/platform-server >= 21.0.0-next.0, < 21.0.0-next.3

Status affected

Version @angular/ssr >= 17.0.0-next.0, < 18.2.21

Status affected

Version @angular/ssr >= 19.0.0-next.0, < 19.2.16

Status affected

Version @angular/ssr >= 20.0.0-next.0, < 20.3.0

Status affected

Version @angular/ssr >= 21.0.0-next.0, < 21.0.0-next.3

Status affected

Version @nguniversal/common >= 16.0.0-next.0, <= 16.2.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.142

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7

https://github.com/angular/angular-cli/pull/31108

https://github.com/angular/angular/pull/63562

https://nvd.nist.gov/vuln/detail/CVE-2025-59052

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59052

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59052

EUVD