Alan-Agius4

Name of the Vulnerable Software and Affected Versions: Angular versions 18.2.14 through 18.2.21 Angular versions 19.2.15 through 19.2.16 Angular versions 20.3.0 Angular versions 21.0.0-next.3 Description: Angular uses a DI container to hold request-specific state during server-side rendering. Due to historical reasons, this container was stored as a JavaScript module-scoped global variable. Concurrent requests could inadvertently share or overwrite the global injector state, potentially leading to one request responding with data intended for another, resulting in data or token leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable. Recommendations: Angular versions 18.2.14 through 18.2.21: Update to version 18.2.21. Angular versions 19.2.15 through 19.2.16: Update to version 19.2.16. Angular versions 20.3.0: Update to version 20.3.0. Angular versions 21.0.0-next.3: No specific recommendation is available. As a workaround, disable SSR via Server Routes or builder options. As a workaround, remove any asynchronous behavior from custom `bootstrap` functions. As a workaround, remove uses of `getPlatform()` in application code. As a workaround, ensure that the server build defines `ngJitMode` as false.