fix(deps): update dependency @angular/core to v20.3.25 [security]#1307
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency @angular/core to v20.3.25 [security]#1307renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
|
fd2fe2f to
9b2e7b9
Compare
1e242ae to
a12f648
Compare
1eceb58 to
3661a45
Compare
3661a45 to
7678cf4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^19.2.18→^20.0.020.3.24→20.3.25Review
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg
More information
Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via
provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cachedHttpClientresponses) and outputs it into the HTML stream as a<script>tag with a predictable identifier:During client bootstrap, Angular recovers this state by looking up the element via
document.getElementById('ng-state')and parsing its text content.Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (
ng-state), it is susceptible to DOM Clobbering.If the application binds untrusted user input or CMS content to element properties such as
id(e.g.,<div [id]="userInput">or<a id="ng-state">) before the genuine<script>tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.During hydration, when Angular calls
document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.Impact
By clobbering the state element, the attacker can inject a custom JSON payload into Angular's
TransferStatecache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.ng-stateelement containing custom JSON.HttpClientchecksTransferStatebefore making requests. Finding the poisoned key,HttpClientreturns the forged response instantly instead of requesting the genuine backend API.Depending on how the application processes and renders the affected API response, this can lead to:
Patched Versions
Workarounds
If you cannot immediately update to a patched Angular version, apply the following workarounds:
A. Avoid Dynamic/User-Controlled IDs
Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:
B. Configure a Custom Application ID
Declaring a unique, non-predictable
APP_IDchanges the ID suffix of the state element, making it harder for attackers to predict and target:This changes the state element lookup ID from
ng-statetounique-obfuscated-app-id-state.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
angular/angular (@angular/core)
v20.3.25Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.common
compiler
core
http
platform-server
service-worker
v20.3.24Compare Source
platform-server
v20.3.23Compare Source
compiler
v20.3.22Compare Source
common
compiler
core
http
platform-server
service-worker
v20.3.21Compare Source
platform-server
allowedHostsoption torenderModuleandrenderApplicationv20.3.20Compare Source
core
platform-server
v20.3.19Compare Source
platform-server
v20.3.18Compare Source
compiler
core
v20.3.17Compare Source
Breaking Changes
core
Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.
(cherry picked from commit
03da204)core
v20.3.16Compare Source
core
v20.3.15Compare Source
compiler
attributeNameand MathML/SVG URLsv20.3.14Compare Source
http
v20.3.13Compare Source
v20.3.12Compare Source
v20.3.11Compare Source
common
compiler
core
v20.3.10Compare Source
compiler-cli
migrations
v20.3.9Compare Source
v20.3.7Compare Source
animations
Element.animateexceptions (#64506)compiler
compiler-cli
core
router
v20.3.6Compare Source
core
platform-browser
DomEventsPluginshould always be the last plugin to be called forsupports(). (#50394)v20.3.5Compare Source
compiler-cli
core
animate.leavefunction bindings (#64413)migrations
router
v20.3.4Compare Source
core
migrations
v20.3.3Compare Source
compiler
core
migrations
v20.3.2Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.common
compiler
core
http
platform-server
service-worker
v20.3.1Compare Source
platform-server
v20.3.0Compare Source
Breaking Changes
core
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
Before:
After:
A schematic is provided to automatically update
main.server.tsfiles to pass theBootstrapContextto thebootstrapApplicationcall.In addition,
getPlatform()anddestroyPlatform()will now returnnulland be a no-op respectively when running in a server environment.(cherry picked from commit
8bf80c9)core
BootstrapContextfor improved server bootstrapping (#63636)v20.2.4Compare Source
core
platform-server
[
v20.2.3](https://redirect.Configuration
📅 Schedule: (in timezone America/Montreal)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.