chore(deps): update dependency @angular/ssr to v20.3.6 [security] #73

renovate · 2025-09-11T01:13:47Z

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	`20.0.0` -> `20.3.6`

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @&#8203;angular/cli @&#8203;angular/core

# For apps on Angular v19:
ng update @&#8203;angular/cli@19 @&#8203;angular/core@19

# For apps on Angular v18:
ng update @&#8203;angular/cli@18 @&#8203;angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @&#8203;angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @&#8203;angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @&#8203;angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

@angular/platform-server: 21.0.0-next.3
@angular/platform-server: 20.3.0
@angular/platform-server: 19.2.15
@angular/platform-server: 18.2.14
@angular/ssr: 21.0.0-next.3
@angular/ssr: 20.3.0
@angular/ssr: 19.2.16
@angular/ssr: 18.2.21

Workarounds

Disable SSR via Server Routes (v19+) or builder options.
Remove any asynchronous behavior from custom bootstrap functions.
Remove uses of getPlatform() in application code.
Ensure that the server build defines ngJitMode as false.

References

CVE-2025-62427

Impact

The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario

A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

@angular/ssr 19.2.18
@angular/ssr 20.3.6
@angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware

If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
  if (req.originalUrl?.startsWith('//')) {
    // Sanitize by forcing a single slash
    req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
    req.url = req.url.replace(/^\/\/+/, '/');
  }
  next();
});

References

Release Notes

angular/angular-cli (@angular/ssr)

Commit	Type	Description
c94bf7ff0	fix	Out of the box support for PM2
465436c9f	fix	use bracket notation for `process.env['pm_id']`

Commit	Type	Description
be60be499	fix	add timestamp to bundle generation log
d60f4e53d	fix	update vite to version `7.1.5`

Commit	Type	Description
a793bbc47	fix	don't set a default for array options when length is 0
2736599e2	fix	set process title when running architect commands

Commit	Type	Description
5c2abffea	fix	avoid extra tick in SSR dev-server builds
f3c826853	fix	maintain media output hashing with vitest unit-testing

Commit	Type	Description
6937123a3	fix	directly resolve karma config template in migration
5d6dd4425	fix	prevent AI config schematic from failing when 'none' and other AI tools are selected

Commit	Type	Description
06a6ddc10	fix	correct JS/TS file paths when running under Bazel
b6816b0cb	fix	ensure karma polyfills reporter factory returns a value

Commit	Type	Description
b4de9a1bf	feat	add --experimental-tool option to mcp command
755ba70fd	feat	add --local-only option to mcp command
59d7ef343	feat	add --read-only option to mcp command
4e92eb6f1	feat	add modernize tool to the MCP server
a3b25f675	fix	add choices to command line parser when type is array and has an enum
e19eee614	fix	address Node.js deprecation DEP0190
4ee6f327a	fix	apply default to array types
8ba6b0bcc	fix	use correct path for MCP get_best_practices tool

Commit	Type	Description
2e3cfd598	feat	add migration to remove default Karma configurations
d80dae276	feat	add schematics to generate ai context files.
ffe6fb916	fix	allow AI config prompt to be skipped without selecting a value
ae2802b7d	fix	improve AI config prompt wording
b017f84fd	fix	improve coverage directory handling for Karma configuration comparisons
6a79f9a75	fix	zoneless is now stable

Commit	Type	Description
584bc1d41	fix	add extra prettier config
02b0506fd	fix	correct configure the `typeSeparator` in the library schematic

Commit	Type	Description
541b33f8d	fix	emit a warning when `outputHashing` is set to `all` or `bundles` when HMR is enabled
558a0fe92	fix	normalize code coverage include paths to POSIX

Commit	Type	Description
0836ad28f	fix	correctly remap Angular diagnostics
c475e546b	fix	exclude `@vitest/browser/context` from esbuild bundling
1a2da161e	fix	failed to proxy error for assets

Commit	Type	Description
1159cf081	feat	add code coverage reporters option for unit-test
8f305ef0b	feat	add dataurl, base64 loaders
adfeee0a4	fix	adjust coverage includes/excludes for unit-test vitest runner
c19cd2985	fix	coverage reporter option
8879716ca	fix	expose unit test and karma builder API
a415a4999	fix	improve default coverage reporter handling for vitest
e0de8680d	fix	inject zone.js/testing before karma builder execution
2672f6ec1	fix	json and json-summary as vitest coverage reporters
b67fdfd6b	fix	resolve "Controller is already closed" error in Karma
2784883ec	fix	support extra test setup files with unit-test vitest runner
f177f5508	fix	support injecting global styles into vitest unit-tests
130c65014	fix	use an empty array as default value for vitest exclude
917af12ae	fix	use date/time based output path for vitest unit-test

Commit	Type	Description
309742289	fix	avoid preloading unnecessary dynamic bundles
82691b98f	fix	ensure correct referer header handling in web request conversion

Commit	Type	Description
e90a808c0	fix	include `main.server.ts` in `tsconfig.files` when present
5c48b8e0a	fix	reset module `typeSeparator` when generating applications

Commit	Type	Description
56f426e25	fix	include custom bundle name scripts with karma
dfe3a8b73	fix	increase worker idle timeout
e6d27bd5e	fix	set scripts option output as classic script for karma

Commit	Type	Description
bf64a0f2d	fix	add `less` as a devDependency when selected as the style preprocessor
cb258a3e1	fix	correctly detect modules using new file extension format

Commit	Type	Description
525ddcbd2	fix	only overwrite JSON file if actually changed
83c820e5a	fix	remove karma config devkit package usages during application migration
87266b38a	fix	skip zone.js dependency for zoneless applications

Commit	Type	Description
e5efdc577	fix	also disable outputMode in vitest unit-tests
5814393db	fix	resolve junit karma reporter output to workspace root

chore(deps): update dependency @angular/ssr to v20.3.6 [security] #73

Are you sure you want to change the base?

chore(deps): update dependency @angular/ssr to v20.3.6 [security] #73

Uh oh!

Conversation

renovate bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Impact

Exploit Scenario

Patches

Mitigation

Server-Side Middleware

References

Release Notes

Breaking Changes

Configuration

Uh oh!

netlify bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for test-angular-starter-template failed. Why did it fail? →

Uh oh!

netlify bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for testing-angular-template failed. Why did it fail? →

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Sep 11, 2025 •

edited

Loading

netlify bot commented Sep 11, 2025 •

edited

Loading

netlify bot commented Sep 11, 2025 •

edited

Loading