CVE-2025-59052
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2025-09-11

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2025-09-11
Generated
2026-05-07
AI Q&A
2025-09-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59052
EUVD
EUVD-2025-33972
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
nguniversal common *
angular platform-server 20.3.0
angular ssr 19.2.16
angular ssr 20.3.0
angular platform-server 19.2.15
angular ssr 18.2.21
angular platform-server 21.0.0-next.3
angular platform-server 18.2.14
angular ssr 21.0.0-next.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-59052 is a race condition vulnerability in Angular's server-side rendering (SSR) process. Angular previously used a global, module-scoped platform injector to hold request-specific state during SSR. When multiple requests were processed concurrently, this global injector could be shared or overwritten between requests, causing data leakage. This means one request could inadvertently include data or tokens meant for another request. The vulnerability affects APIs like bootstrapApplication, getPlatform, and destroyPlatform, which have been updated to require explicit context to avoid using the global injector. The fix involves introducing a BootstrapContext to isolate platform injectors per request, preventing cross-request state sharing and improving SSR security and reliability. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can lead to sensitive data leakage between concurrent server-side rendering requests. An attacker with network access can send multiple SSR requests and analyze the responses to extract confidential information such as tokens or user-specific data that belong to other users. This compromises data confidentiality and can expose sensitive information unintentionally. The attack requires no special privileges and has low complexity, making it a significant security risk in environments using Angular SSR without the patched versions or mitigations. [3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring server-side rendered responses for data leakage between concurrent requests. Since the vulnerability causes one request to potentially receive data meant for another, you can detect it by sending multiple concurrent SSR requests and inspecting the responses for leaked tokens or user-specific data. There are no specific commands provided in the resources, but a practical approach is to use tools like curl or automated scripts to send concurrent requests to the SSR endpoints and compare the responses for unexpected shared data. Additionally, reviewing your Angular server-side rendering code for usage of the vulnerable APIs (`bootstrapApplication` without `BootstrapContext`, `getPlatform()`, `destroyPlatform()`) can help identify vulnerable implementations. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Upgrade to patched versions of Angular packages such as `@angular/platform-server` (18.2.14, 19.2.15, 20.3.0, or 21.0.0-next.3) and `@angular/ssr` (18.2.21, 19.2.16, 20.3.0, or 21.0.0-next.3). 2) Modify your server-side bootstrap code to use the new `BootstrapContext` parameter with `bootstrapApplication` to ensure isolated platform injectors per request. 3) Remove any asynchronous behavior from custom bootstrap functions. 4) Avoid using `getPlatform()` in your application code. 5) Disable SSR via server routes or builder options if immediate patching is not possible. 6) Ensure that the server build defines `ngJitMode` as false. These steps prevent the race condition and data leakage caused by the global platform injector. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart