CVE-2025-59052

Name of the Vulnerable Software and Affected Versions: Angular versions 18.2.14 through 18.2.21 Angular versions 19.2.15 through 19.2.16 Angular versions 20.3.0 Angular versions 21.0.0-next.3

Description: Angular uses a DI container to hold request-specific state during server-side rendering. Due to historical reasons, this container was stored as a JavaScript module-scoped global variable. Concurrent requests could inadvertently share or overwrite the global injector state, potentially leading to one request responding with data intended for another, resulting in data or token leaks. The APIs bootstrapApplication, getPlatform, and destroyPlatform were vulnerable.

Recommendations: Angular versions 18.2.14 through 18.2.21: Update to version 18.2.21. Angular versions 19.2.15 through 19.2.16: Update to version 19.2.16. Angular versions 20.3.0: Update to version 20.3.0. Angular versions 21.0.0-next.3: No specific recommendation is available. As a workaround, disable SSR via Server Routes or builder options. As a workaround, remove any asynchronous behavior from custom bootstrap functions. As a workaround, remove uses of getPlatform() in application code. As a workaround, ensure that the server build defines ngJitMode as false.