Red Hat CVE-2025-59052

This vulnerability is classified under CWE-362. Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs bootstrapApplication, getPlatform, and destroyPlatform were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include @angular/platform-server 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and @angular/ssr 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom bootstrap functions, remove uses of getPlatform() in application code, and/or ensure that the server build defines ngJitMode as false.