CVE-2025-59052

{"id": "CVE-2025-59052", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-10T21:15:37.283", "references": [{"url": "https://github.com/angular/angular-cli/pull/31108", "source": "security-advisories@github.com"}, {"url": "https://github.com/angular/angular/pull/63562", "source": "security-advisories@github.com"}, {"url": "https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the \"platform injector\") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes.\nThe issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false."}, {"lang": "es", "value": "Angular es una plataforma de desarrollo para construir aplicaciones web m\u00f3viles y de escritorio usando TypeScript/JavaScript y otros lenguajes. Angular usa un contenedor DI (el 'inyector de plataforma') para mantener el estado espec\u00edfico de la solicitud durante la renderizaci\u00f3n del lado del servidor. Por razones hist\u00f3ricas, el contenedor se almacenaba como una variable global con alcance de m\u00f3dulo de JavaScript. Cuando se procesan m\u00faltiples solicitudes concurrentemente, estas podr\u00edan compartir o sobrescribir inadvertidamente el estado global del inyector. En t\u00e9rminos pr\u00e1cticos, esto puede llevar a que una solicitud responda con datos destinados a una solicitud completamente diferente, filtrando datos o tokens incluidos en la p\u00e1gina renderizada o en los encabezados de respuesta. Mientras un atacante tuviera acceso a la red para enviar cualquier tr\u00e1fico que recibiera una respuesta renderizada, podr\u00eda haber sido capaz de enviar un gran n\u00famero de solicitudes y luego inspeccionar las respuestas en busca de fugas de informaci\u00f3n. Las APIs 'bootstrapApplication', 'getPlatform' y 'destroyPlatform' eran vulnerables y requer\u00edan cambios disruptivos solo para SSR.\nEl problema ha sido parcheado en todas las l\u00edneas de lanzamiento activas, as\u00ed como en la versi\u00f3n preliminar v21. Los paquetes parcheados incluyen '@angular/platform-server' 21.0.0-next.3, 20.3.0, 19.2.15 y 18.2.14 y '@angular/ssr' 21.0.0-next.3, 20.3.0, 19.2.16 y 18.2.21. Varias soluciones alternativas est\u00e1n disponibles. Deshabilite SSR a trav\u00e9s de Rutas del Servidor u opciones del constructor, elimine cualquier comportamiento as\u00edncrono de las funciones 'bootstrap' personalizadas, elimine los usos de 'getPlatform()' en el c\u00f3digo de la aplicaci\u00f3n, y/o aseg\u00farese de que la compilaci\u00f3n del servidor defina 'ngJitMode' como falso."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}