Name of the Vulnerable Software and Affected Versions Angular Universal versions 16.1.0 through 16.1.1

Description The issue allows an attacker to trick another user into visiting a page that injects malicious JavaScript, resulting in a cross-site scripting (XSS) attack. This occurs when critical CSS inlining is used in Angular Universal applications. While Angular CLI applications without Universal also perform critical CSS inlining, exploiting this requires a malicious actor to already have access to modify source code directly.

Recommendations For Angular Universal versions 16.1.0 and 16.1.1, upgrade @nguniversal/common to 16.1.2 or higher, or downgrade to 16.0.x or lower. Alternatively, override the critters dependency with version 0.0.20 in your package.json by adding the following configuration: { "overrides": { "critters": "0.0.20" } }