fix(deps): update dependency @angular/core to v21.2.17 [security] - autoclosed#1111
fix(deps): update dependency @angular/core to v21.2.17 [security] - autoclosed#1111renovate[bot] wants to merge 1 commit into
Conversation
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | ✅ 0 (≤ 20 complexity) |
🟢 Coverage ∅ diff coverage · +0.00% coverage variation
Metric Results Coverage variation ✅ +0.00% coverage variation (-1.00%) Diff coverage ✅ ∅ diff coverage Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (2f9f86e) 15036 7250 48.22% Head commit (ccee3d1) 15036 (+0) 7250 (+0) 48.22% (+0.00%) Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#1111) 0 0 ∅ (not applicable) Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
renovate
Bot
force-pushed
the
renovate/npm-angular-core-vulnerability
branch
from
6d5e62c to
ccee3d1
Compare
|
🚨 Client Code Validation Failed 🚨 The client code in cd ./client
pnpm generate:openapiCommit and push the updated files. |
renovate
Bot
changed the title
This PR contains the following updates:
21.2.14→21.2.17Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg
More information
Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via
provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cachedHttpClientresponses) and outputs it into the HTML stream as a<script>tag with a predictable identifier:During client bootstrap, Angular recovers this state by looking up the element via
document.getElementById('ng-state')and parsing its text content.Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (
ng-state), it is susceptible to DOM Clobbering.If the application binds untrusted user input or CMS content to element properties such as
id(e.g.,<div [id]="userInput">or<a id="ng-state">) before the genuine<script>tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.During hydration, when Angular calls
document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.Impact
By clobbering the state element, the attacker can inject a custom JSON payload into Angular's
TransferStatecache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.ng-stateelement containing custom JSON.HttpClientchecksTransferStatebefore making requests. Finding the poisoned key,HttpClientreturns the forged response instantly instead of requesting the genuine backend API.Depending on how the application processes and renders the affected API response, this can lead to:
Patched Versions
Workarounds
If you cannot immediately update to a patched Angular version, apply the following workarounds:
A. Avoid Dynamic/User-Controlled IDs
Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:
B. Configure a Custom Application ID
Declaring a unique, non-predictable
APP_IDchanges the ID suffix of the state element, making it harder for attackers to predict and target:This changes the state element lookup ID from
ng-statetounique-obfuscated-app-id-state.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
CVE-2026-52725 / GHSA-692r-grfm-v8x7
More information
Details
An issue in the
@angular/corepackage allows bypassing script-execution restrictions during dynamic component creation.Specifically, the dynamic component instantiation mechanism (
createComponent) failed to reject mounting components directly onto a<script>or namespaced script element (such as<svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts.This flaw enables an attacker who can control the host element or selector parameter passed to
createComponentto initialize or mount an Angular component directly onto a<script>tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS).Impact
Any Angular application that registers dynamic components based on user-supplied parameters (like selectors or host elements) is vulnerable to this security bypass.
Once exploited, this allows a malicious actor to mount a dynamic component on a script tag, bypassing core dynamic component creation safeguards to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.
Attack Preconditions
To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist:
createComponent.Patches
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
CVE-2026-50557 / GHSA-f3m7-gqxr-g87x
More information
Details
An issue in the
@angular/compilerand@angular/corepackages allows bypassing element and attribute sanitization/validation through specific namespace workarounds.Specifically, namespaced script elements (e.g.,
<svg:script>or<:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped.Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers.
Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS).
Impact
Any Angular application that compiles user-controlled templates at runtime, or relies on sanitization of namespaced elements/attributes, is vulnerable to this security bypass.
Once exploited, this allows a malicious actor to inject a namespaced script element or dynamic attribute bindings, bypassing core sanitization constraints to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.
Attack Preconditions
To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist:
<svg:script>) to evade standard tag-name blocklists/checks.Patches
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
angular/angular (@angular/core)
v21.2.17Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.common
compiler
core
http
platform-server
service-worker
v21.2.16Compare Source
common
compiler
core
platform-server
v21.2.15Compare Source
common
compiler
core
http
platform-server
service-worker
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.