CVE-2023-28444: 
JavaScript vulnerability analysis and mitigation

CVE-2023-28444 affects angular-server-side-configuration, a package that helps configure Angular applications at runtime via environment variables. The vulnerability was discovered in versions 15.0.0 to 15.1.0 and disclosed on March 24, 2023. The issue occurs in monorepo setups where environment variables intended for backend services could be exposed through the frontend application (GitHub Advisory).

The vulnerability stems from the package's environment variable detection mechanism. During build time, the package scans TypeScript (.ts) files for environment variables and writes them to a ngssc.json file. In version 15.0.0, the detection scope was widened to search the entire project relative to the angular.json file. This change could result in backend environment variables being detected and subsequently exposed via the application's index.html file. The vulnerability has a CVSS v3.1 score of 9.9 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L (GitHub Advisory).

The vulnerability primarily affects monorepo setups where both frontend and backend components are present. It could lead to the exposure of sensitive environment variables intended for backend services through the frontend application's index.html file. Notably, this vulnerability has no impact on plain Angular projects without backend components (NVD).

The vulnerability has been patched in version 15.1.0 by introducing a 'searchPattern' option that restricts the detection file range by default to '{sourceRoot}/*/!(server*).ts'. This limits the search to the sourceRoot of the related angular.json project and excludes files with 'server' in their name. As a workaround for affected versions, users can manually edit or create ngssc.json, or run a script after ngssc.json generation (GitHub Advisory).