Skip to content

fix(deps): update dependency @angular/core to v20.3.25 [security]#1307

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-angular-core-vulnerability
Open

fix(deps): update dependency @angular/core to v20.3.25 [security]#1307
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-angular-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@angular/core (source) ^19.2.18^20.0.0 age confidence
@angular/core (source) 20.3.2420.3.25 age confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg

More information

Details

To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier:

<script type="application/json" id="ng-state">
    {"some-api-url": {"body": ...}}
</script>

During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content.

Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering.

If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.

During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.

Impact

By clobbering the state element, the attacker can inject a custom JSON payload into Angular's TransferState cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.

  1. The attacker injects a clobbered ng-state element containing custom JSON.
  2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice.
  3. During client-side initialization, Angular's HttpClient checks TransferState before making requests. Finding the poisoned key, HttpClient returns the forged response instantly instead of requesting the genuine backend API.

Depending on how the application processes and renders the affected API response, this can lead to:

  • DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings.
  • Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads.
  • UI Hijacking and redirection by spoofing configuration endpoints.
Patched Versions
  • 22.0.1
  • 21.2.17
  • 20.3.25
Workarounds

If you cannot immediately update to a patched Angular version, apply the following workarounds:

A. Avoid Dynamic/User-Controlled IDs

Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:

<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>

<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>
B. Configure a Custom Application ID

Declaring a unique, non-predictable APP_ID changes the ID suffix of the state element, making it harder for attackers to predict and target:

// app.config.ts

import { APP_ID } from '@&#8203;angular/core';
import { provideClientHydration } from '@&#8203;angular/platform-browser';

export const appConfig = {
  providers: [
    { provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
    provideClientHydration()
  ]
};

This changes the state element lookup ID from ng-state to unique-obfuscated-app-id-state.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

angular/angular (@​angular/core)

v20.3.25

Compare Source

Deprecations

platform-server
  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
common
Commit Type Description
9f443bc24c fix Limits date format string length
566ad05f20 fix skip transfer cache for uncacheable HTTP traffic
1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation
compiler
Commit Type Description
a68ec702a0 fix sanitize two-way properties
core
Commit Type Description
768a349e6e fix harden TransferState restoration against DOM clobbering
ca48b4728d fix validate lowercase SVG animation attribute names (#​69270)
http
Commit Type Description
06be298267 fix preserve empty referrer option in HttpRequest
fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a fix skip transfer cache for fetch credentialed requests
platform-server
Commit Type Description
49368c1859 fix harden platform location origin validation during SSR
d55c94ad81 refactor deprecate ServerXhr (#​69256)
service-worker
Commit Type Description
d65a5f457b fix Strips sensitive headers on cross-origin redirects

v20.3.24

Compare Source

platform-server
Commit Type Description
6ca433e56b fix throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f fix update domino to latest version

v20.3.23

Compare Source

compiler
Commit Type Description
d40acc6431 fix prevent namespaced SVG <style> elements from being stripped

v20.3.22

Compare Source

common
Commit Type Description
3d135ce59b fix add upper bounds for digitsInfo
39a4b4cc8e fix sanitize placeholder
compiler
Commit Type Description
8f35b182b1 fix normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68926)
64a89e917a fix sanitize dynamic href and xlink:href bindings on SVG a elements (#​68926)
6404edfe0a fix strip namespaced SVG script elements during template compilation (#​68926)
core
Commit Type Description
e345a58069 fix normalize tag names in runtime i18n attribute security context lookup (#​68926)
d86e4e7b2a fix reject script element as a dynamic component host (#​68926)
af04936045 fix sanitize meta selectors
dc631efa96 fix support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68926)
909ef047b3 fix synchronize core sanitization schema with compiler (#​68926)
http
Commit Type Description
de7b2a62e7 fix exclude withCredentials requests from transfer cache
4233188d8e fix skip TransferCache for cookie-bearing requests by default
platform-server
Commit Type Description
49a60f6045 fix secure location and document initialization against SSRF and path hijack
service-worker
Commit Type Description
5fdfd8a998 fix preserve redirect policy on reconstructed asset requests
83b022f2d0 fix Preserves explicit 'credentials: omit' in asset requests
e617fa06eb fix Preserves HTTP cache mode in asset group requests

v20.3.21

Compare Source

platform-server
Commit Type Description
f584840e2e fix add allowedHosts option to renderModule and renderApplication

v20.3.20

Compare Source

core
Commit Type Description
a9bcffdbc7 fix disallow event attribute bindings in host bindings unconditionally (#​68468)
97eeb45cfa fix validate security-sensitive attributes in i18n bindings (#​68468)
platform-server
Commit Type Description
25e4e07238 fix ensure origin has a trailing slash when parsing url (#​68468)

v20.3.19

Compare Source

platform-server
Commit Type Description
303d4cd580 fix prevent SSRF bypasses via protocol-relative and backslash URLs

v20.3.18

Compare Source

compiler
Commit Type Description
02fbf08890 fix disallow translations of iframe src
core
Commit Type Description
72126f9a08 fix sanitize translated attribute bindings with interpolations
626bc8bc20 fix sanitize translated form attributes

v20.3.17

Compare Source

Breaking Changes

core
  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204)

core
Commit Type Description
7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

v20.3.16

Compare Source

core
Commit Type Description
c2c2b4aaa8 fix sanitize sensitive attributes on SVG script elements

v20.3.15

Compare Source

compiler
Commit Type Description
d1ca8ae043 fix prevent XSS via SVG animation attributeName and MathML/SVG URLs

v20.3.14

Compare Source

http
Commit Type Description
0276479e7d fix prevent XSRF token leakage to protocol-relative URLs

v20.3.13

Compare Source

v20.3.12

Compare Source

v20.3.11

Compare Source

common
Commit Type Description
5047849a4a fix remove placeholder image listeners once view is removed
compiler
Commit Type Description
f9d0818087 fix support arbitrary nesting in :host-context()
106b9040df fix support commas in :host() argument
9419ea348a fix support complex selectors in :nth-child()
036c5d2a07 fix support one additional level of nesting in :host()
core
Commit Type Description
dcdd1bcdbb fix skip leave animations on view swaps

v20.3.10

Compare Source

compiler-cli
Commit Type Description
840db59dc1 fix make required inputs diagnostic less noisy
migrations
Commit Type Description
a45e6b2b66 fix Prevent removal of templates referenced with preceding whitespace characters

v20.3.9

Compare Source

v20.3.7

Compare Source

animations
Commit Type Description
bd38cd45a5 fix account for Element.animate exceptions (#​64506)
compiler
Commit Type Description
891f180262 fix correctly compile long numeric HTML entities (#​64297)
compiler-cli
Commit Type Description
371274bfc6 fix missingStructuralDirective diagnostic produces false negatives (#​64470)
core
Commit Type Description
4c89a267c3 fix pass element removal property through in all locations (#​64565)
2fad4d4ab6 fix prevent duplicate nodes from being retained with fast `animate.leave`` calls (#​64592)
router
Commit Type Description
cfd8ed3fff fix Fix outlet serialization and parsing with no primary children (#​64505)
182fe78f91 fix Surface parse errors in Router.parseUrl (#​64503)

v20.3.6

Compare Source

core
Commit Type Description
911d6822cb fix update animation scheduling (#​64441)
platform-browser
Commit Type Description
2ece42866d fix DomEventsPlugin should always be the last plugin to be called for supports(). (#​50394)

v20.3.5

Compare Source

compiler-cli
Commit Type Description
8dec92ff9f fix capture metadata for undecorated fields (#​63957) (#​64317)
c2e817b0ef perf fix performance of "interpolated signal not invoked" check (#​64410)
core
Commit Type Description
f15cfa4cc4 fix fixes regression in animate.leave function bindings (#​64413)
d54dd674ca fix Prevents early style pruning with leave animations (#​64335)
migrations
Commit Type Description
554573e524 fix migrating input with more than 1 usage in a method (#​64367)
2c79ca0b57 fix remove error for no matching files in control flow migration (#​64253) (#​64314)
router
Commit Type Description
6e4bcc7d22 fix Scroll restoration should use instant scroll behavior for traversals (#​64299)

v20.3.4

Compare Source

core
Commit Type Description
853ed169a8 fix ensure missing leave animations don't queue leave animations (#​64226)
6fed986b7a fix Fixes animations in conjunction with content projection (#​63776)
76fe5599fe fix handle undefined CSS time values in parseCssTimeUnitsToMs function (#​64181)
3b959105be fix prevent early exit from leave animations when multiple transitions are present (#​64225)
migrations
Commit Type Description
65884895ff fix preserve component imports when pruning NgModules in standalone migration (#​64186)

v20.3.3

Compare Source

compiler
Commit Type Description
f51ab32fb3 fix recover template literals with broken expressions (#​64150)
core
Commit Type Description
542cd0019a fix do not rename ARIA property bindings to attributes (#​64089)
0e928fbc4a fix Fixes animations in conjunction with content projection (#​63776)
e5157bd933 fix prevents unintended early termination of leave animations and hoisting (#​64088)
migrations
Commit Type Description
1710cbd7d4 fix handle shorthand property declarations in NgModule (#​64160)
77b6305a4b fix skip migration for inputs with 'this' references (#​64142)

v20.3.2

Compare Source

Deprecations

platform-server
  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
common
Commit Type Description
9f443bc24c fix Limits date format string length
566ad05f20 fix skip transfer cache for uncacheable HTTP traffic
1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation
compiler
Commit Type Description
a68ec702a0 fix sanitize two-way properties
core
Commit Type Description
768a349e6e fix harden TransferState restoration against DOM clobbering
ca48b4728d fix validate lowercase SVG animation attribute names (#​69270)
http
Commit Type Description
06be298267 fix preserve empty referrer option in HttpRequest
fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a fix skip transfer cache for fetch credentialed requests
platform-server
Commit Type Description
49368c1859 fix harden platform location origin validation during SSR
d55c94ad81 refactor deprecate ServerXhr (#​69256)
service-worker
Commit Type Description
d65a5f457b fix Strips sensitive headers on cross-origin redirects

v20.3.1

Compare Source

platform-server
Commit Type Description
303d4cd580 fix prevent SSRF bypasses via protocol-relative and backslash URLs

v20.3.0

Compare Source

Breaking Changes

core
  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
      bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

    (cherry picked from commit 8bf80c9)

Commit Type Description
a3f808d7c8 fix remove refresh button from transfer state tab (#​63592)
core
Commit Type Description
6117ccee2e feat introduce BootstrapContext for improved server bootstrapping (#​63636)

v20.2.4

Compare Source

core
Commit Type Description
dc64f3e478 fix Fixed inject migration schematics for migrate destructured properties (#​62832)
platform-server
Commit Type Description
d1d32db972 fix prevent false warning for duplicate state serialization (#​63525)

[v20.2.3](https://redirect.

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone America/Montreal)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 15, 2026 18:58
@renovate

renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/angular/tests/app/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: gc-design-system-components-angular-test-app@0.0.0
npm error Found: @angular/compiler@20.3.24
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"^20.0.0" from @angular/build@20.3.27
npm error   node_modules/@angular/build
npm error     dev @angular/build@"^20.1.5" from the root project
npm error   peer @angular/compiler@"20.3.24" from @angular/compiler-cli@20.3.24
npm error   node_modules/@angular/compiler-cli
npm error     peer @angular/compiler-cli@"^20.0.0" from @angular/build@20.3.27
npm error     node_modules/@angular/build
npm error       dev @angular/build@"^20.1.5" from the root project
npm error     dev @angular/compiler-cli@"^20.1.0" from the root project
npm error   1 more (the root project)
npm error
npm error Could not resolve dependency:
npm error @angular/core@"20.3.25" from the root project
npm error
npm error Conflicting peer dependency: @angular/compiler@20.3.25
npm error node_modules/@angular/compiler
npm error   peerOptional @angular/compiler@"20.3.25" from @angular/core@20.3.25
npm error   node_modules/@angular/core
npm error     @angular/core@"20.3.25" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-13T15_22_51_961Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-13T15_22_51_961Z-debug-0.log

File name: utils/angular-output-target/package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @angular/animations@19.2.25
npm ERR! Found: @angular/core@20.3.26
npm ERR! node_modules/@angular/core
npm ERR!   @angular/core@"^20.0.0" from the root project
npm ERR!   peer @angular/core@">=15.0.0 <21.0.0" from jest-preset-angular@14.6.2
npm ERR!   node_modules/jest-preset-angular
npm ERR!     dev jest-preset-angular@"^14.4.2" from the root project
npm ERR!   2 more (@gcds-core/components-angular, @stencil/angular-output-target)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @angular/core@"19.2.25" from @angular/animations@19.2.25
npm ERR! node_modules/@angular/animations
npm ERR!   @angular/animations@"^19.2.15" from the root project
npm ERR!   peerOptional @angular/animations@"19.2.25" from @angular/platform-browser@19.2.25
npm ERR!   node_modules/@angular/platform-browser
npm ERR!     dev @angular/platform-browser@"^19.2.15" from the root project
npm ERR!     3 more (@angular/forms, @angular/platform-browser-dynamic, @angular/router)
npm ERR! 
npm ERR! Conflicting peer dependency: @angular/core@19.2.25
npm ERR! node_modules/@angular/core
npm ERR!   peer @angular/core@"19.2.25" from @angular/animations@19.2.25
npm ERR!   node_modules/@angular/animations
npm ERR!     @angular/animations@"^19.2.15" from the root project
npm ERR!     peerOptional @angular/animations@"19.2.25" from @angular/platform-browser@19.2.25
npm ERR!     node_modules/@angular/platform-browser
npm ERR!       dev @angular/platform-browser@"^19.2.15" from the root project
npm ERR!       3 more (@angular/forms, @angular/platform-browser-dynamic, @angular/router)
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-07-13T15_22_56_662Z-debug-0.log

File name: package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/animations@19.2.25
npm error Found: @angular/core@20.3.26
npm error node_modules/@angular/core
npm error   @angular/core@"^20.0.0" from the root project
npm error   peer @angular/core@">=15.0.0 <21.0.0" from jest-preset-angular@14.6.2
npm error   node_modules/jest-preset-angular
npm error     dev jest-preset-angular@"^14.4.2" from the root project
npm error   2 more (@gcds-core/components-angular, @stencil/angular-output-target)
npm error
npm error Could not resolve dependency:
npm error peer @angular/core@"19.2.25" from @angular/animations@19.2.25
npm error node_modules/@angular/animations
npm error   @angular/animations@"^19.2.15" from the root project
npm error   peerOptional @angular/animations@"19.2.25" from @angular/platform-browser@19.2.25
npm error   node_modules/@angular/platform-browser
npm error     dev @angular/platform-browser@"^19.2.15" from the root project
npm error     3 more (@angular/forms, @angular/platform-browser-dynamic, @angular/router)
npm error
npm error Conflicting peer dependency: @angular/core@19.2.25
npm error node_modules/@angular/core
npm error   peer @angular/core@"19.2.25" from @angular/animations@19.2.25
npm error   node_modules/@angular/animations
npm error     @angular/animations@"^19.2.15" from the root project
npm error     peerOptional @angular/animations@"19.2.25" from @angular/platform-browser@19.2.25
npm error     node_modules/@angular/platform-browser
npm error       dev @angular/platform-browser@"^19.2.15" from the root project
npm error       3 more (@angular/forms, @angular/platform-browser-dynamic, @angular/router)
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-13T15_23_00_820Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-13T15_23_00_820Z-debug-0.log

@renovate renovate Bot force-pushed the renovate/npm-angular-core-vulnerability branch 2 times, most recently from fd2fe2f to 9b2e7b9 Compare June 18, 2026 16:00
@renovate renovate Bot force-pushed the renovate/npm-angular-core-vulnerability branch 2 times, most recently from 1e242ae to a12f648 Compare June 30, 2026 13:38
@renovate renovate Bot force-pushed the renovate/npm-angular-core-vulnerability branch 3 times, most recently from 1eceb58 to 3661a45 Compare July 9, 2026 17:58
@renovate renovate Bot force-pushed the renovate/npm-angular-core-vulnerability branch from 3661a45 to 7678cf4 Compare July 13, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants