CVE-2025-59052
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A race condition vulnerability (CVE-2025-59052) has been identified in Angular’s server-side rendering (SSR) functionality. The framework’s dependency injection container (“platform injector”) was historically stored as a module-scoped global variable, which was shared across concurrent requests. As a result, multiple requests could overwrite or leak each other’s state, creating a timing window where sensitive data from one request could be returned in the response to another.
This type of unintended exposure of sensitive data is known as information disclosure. Per OWASP, information disclosure happens when applications fail to protect sensitive data, letting attackers access information they shouldn’t. In this case, an attacker sending multiple requests could exploit the race condition to capture data from other users.
This issue affects multiple Angular packages with server-side rendering capabilities, including @angular/platform-server, @angular/ssr, and @nguniversal/common. Workarounds and patched releases are available for most affected packages.
Details
Module Info
- Product: Angular
- Affected packages: @angular/platform-server, @angular/ssr, @nguniversal/common
- Affected versions:
- @angular/platform-server — >=16.0.0-next.0 <18.2.14, >=19.0.0-next.0 <19.2.15, >=20.0.0-next.0 <20.3.0, >=21.0.0-next.0 <21.0.0-next.3
- @angular/ssr — >=17.0.0-next.0 <18.2.21, >=19.0.0-next.0 <19.2.16, >=20.0.0-next.0 <20.3.0, >=21.0.0-next.0 <21.0.0-next.3
- @nguniversal/common — >=16.0.0-next.0
- GitHub repositories:
- Published packages:
- Package manager: npm
- Fixed in: NES for Angular
Vulnerability Info
This high-severity vulnerability affects Angular packages with server-side rendering (SSR) functionality, including @angular/platform-server, @angular/ssr, and @nguniversal/common. A race condition in the global dependency injection container ("platform injector") allows concurrent requests to inadvertently share or overwrite state. This can lead to one request's state—including rendered page content and response headers—being exposed or overwritten by another request, resulting in unintended information disclosure.
Even applications not explicitly using SSR or the affected APIs (getPlatform, bootstrapApplication, destroyPlatform) may be impacted in local development (ng serve) due to Angular CLI triggering asynchronous behavior.
Patched versions are available for most affected packages. The patches include breaking changes to the server-side bootstrapping process. Developers should apply updates and relevant migration schematics to ensure proper handling of the platform injector.
Mitigation
Users of affected Angular packages should apply one of the following mitigations:
- Upgrade to a patched version of the affected packages:
- @angular/platform-server — patched releases available
- @angular/ssr — patched releases available
- @nguniversal/common — no patch currently available; apply other mitigations listed below
- Apply workarounds such as disabling server-side rendering, removing asynchronous behavior from custom bootstrap functions, avoiding getPlatform() in application code, or ensuring that the server build defines ngJitMode as false.
- Leverage commercial support — HeroDevs provides security support for Angular versions 4–18.
