Skip to content

fix(deps): update dependency @angular/compiler to v20.3.25 [security]#1309

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-angular-compiler-vulnerability
Open

fix(deps): update dependency @angular/compiler to v20.3.25 [security]#1309
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-angular-compiler-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 20.3.2420.3.25 age confidence
@angular/compiler (source) ^19.2.15^20.0.0 age confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

@​angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

CVE-2026-54265 / GHSA-58w9-8g37-x9v5

More information

Details

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.

Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.

This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:

  1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., <div [(innerHTML)]="userContent"></div>).
  2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
  3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via DomSanitizer) before passing the value to the bound property.
Patches
  • 22.0.1
  • 21.2.17
  • 20.3.25

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

angular/angular (@​angular/compiler)

v20.3.25

Compare Source

Deprecations

platform-server
  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
common
Commit Type Description
9f443bc24c fix Limits date format string length
566ad05f20 fix skip transfer cache for uncacheable HTTP traffic
1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation
compiler
Commit Type Description
a68ec702a0 fix sanitize two-way properties
core
Commit Type Description
768a349e6e fix harden TransferState restoration against DOM clobbering
ca48b4728d fix validate lowercase SVG animation attribute names (#​69270)
http
Commit Type Description
06be298267 fix preserve empty referrer option in HttpRequest
fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a fix skip transfer cache for fetch credentialed requests
platform-server
Commit Type Description
49368c1859 fix harden platform location origin validation during SSR
d55c94ad81 refactor deprecate ServerXhr (#​69256)
service-worker
Commit Type Description
d65a5f457b fix Strips sensitive headers on cross-origin redirects

Configuration

📅 Schedule: (in timezone America/Montreal)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/angular/tests/app/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/compiler-cli@20.3.24
npm error Found: @angular/compiler@20.3.25
npm error node_modules/@angular/compiler
npm error   @angular/compiler@"20.3.25" from the root project
npm error   peer @angular/compiler@"^20.0.0" from @angular/build@20.3.27
npm error   node_modules/@angular/build
npm error     dev @angular/build@"^20.1.5" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/compiler@"20.3.24" from @angular/compiler-cli@20.3.24
npm error node_modules/@angular/compiler-cli
npm error   peer @angular/compiler-cli@"^20.0.0" from @angular/build@20.3.27
npm error   node_modules/@angular/build
npm error     dev @angular/build@"^20.1.5" from the root project
npm error   dev @angular/compiler-cli@"^20.1.0" from the root project
npm error
npm error Conflicting peer dependency: @angular/compiler@20.3.24
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"20.3.24" from @angular/compiler-cli@20.3.24
npm error   node_modules/@angular/compiler-cli
npm error     peer @angular/compiler-cli@"^20.0.0" from @angular/build@20.3.27
npm error     node_modules/@angular/build
npm error       dev @angular/build@"^20.1.5" from the root project
npm error     dev @angular/compiler-cli@"^20.1.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-12T14_31_01_955Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-12T14_31_01_955Z-debug-0.log

File name: package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @angular/build@19.2.27
npm warn Found: @angular/compiler@20.3.26
npm warn node_modules/@angular/compiler
npm warn   @angular/compiler@"^20.0.0" from the root project
npm warn
npm warn Could not resolve dependency:
npm warn peer @angular/compiler@"^19.0.0 || ^19.2.0-next.0" from @angular/build@19.2.27
npm warn node_modules/@angular/build
npm warn   @angular/build@"19.2.27" from @angular-devkit/build-angular@19.2.27
npm warn   node_modules/@angular-devkit/build-angular
npm warn
npm warn Conflicting peer dependency: @angular/compiler@19.2.25
npm warn node_modules/@angular/compiler
npm warn   peer @angular/compiler@"^19.0.0 || ^19.2.0-next.0" from @angular/build@19.2.27
npm warn   node_modules/@angular/build
npm warn     @angular/build@"19.2.27" from @angular-devkit/build-angular@19.2.27
npm warn     node_modules/@angular-devkit/build-angular
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/compiler-cli@19.2.25
npm error Found: @angular/compiler@20.3.26
npm error node_modules/@angular/compiler
npm error   @angular/compiler@"^20.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/compiler@"19.2.25" from @angular/compiler-cli@19.2.25
npm error node_modules/@angular/compiler-cli
npm error   dev @angular/compiler-cli@"^19.2.15" from the root project
npm error   peer @angular/compiler-cli@"^19.0.0 || ^19.2.0-next.0" from @angular-devkit/build-angular@19.2.27
npm error   node_modules/@angular-devkit/build-angular
npm error     dev @angular-devkit/build-angular@"^19.2.20" from the root project
npm error   4 more (@angular/build, @ngtools/webpack, jest-preset-angular, ng-packagr)
npm error
npm error Conflicting peer dependency: @angular/compiler@19.2.25
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"19.2.25" from @angular/compiler-cli@19.2.25
npm error   node_modules/@angular/compiler-cli
npm error     dev @angular/compiler-cli@"^19.2.15" from the root project
npm error     peer @angular/compiler-cli@"^19.0.0 || ^19.2.0-next.0" from @angular-devkit/build-angular@19.2.27
npm error     node_modules/@angular-devkit/build-angular
npm error       dev @angular-devkit/build-angular@"^19.2.20" from the root project
npm error     4 more (@angular/build, @ngtools/webpack, jest-preset-angular, ng-packagr)
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-12T14_31_03_970Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-12T14_31_03_970Z-debug-0.log

@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from 857d596 to 2e0e0f5 Compare June 18, 2026 16:00
@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from c27f9ef to 5832a7b Compare June 30, 2026 13:38
@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from 8dff67e to dbfccdc Compare July 7, 2026 13:00
@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from dbfccdc to ea29278 Compare July 9, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants