CVE-2025-59052: 
JavaScript vulnerability analysis and mitigation

Angular's server-side rendering (SSR) feature contains a high-severity vulnerability (CVE-2025-59052) with a CVSS score of 7.1. The vulnerability stems from Angular's dependency injection container (platform injector) being stored as a JavaScript module-scoped global variable, which can lead to race conditions during concurrent request processing. This vulnerability affects multiple versions of Angular packages including @angular/platform-server (versions 16.0.0-next.0 through 21.0.0-next.3) and @angular/ssr (versions 17.0.0-next.0 through 21.0.0-next.3). The issue was discovered and disclosed on September 10, 2025 (GitHub Advisory).

The vulnerability occurs in Angular's server-side rendering process where the platform injector, used to hold request-specific state, was implemented as a global variable. When multiple requests are processed concurrently, they can inadvertently share or overwrite this global injector state. The vulnerability affects several APIs including bootstrapApplication, getPlatform, and destroyPlatform. The issue has been assigned CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and received a CVSS v4.0 base score of 7.1 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can result in one request responding with data meant for a completely different request, potentially leaking sensitive data or tokens included in the rendered page or response headers. An attacker with network access could exploit this by sending multiple requests and inspecting the responses for information leaks. The impact is particularly significant in high-traffic applications where concurrent requests are common (Security Online).

The issue has been patched in all active release lines with @angular/platform-server versions 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14, and @angular/ssr versions 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. For projects unable to update immediately, several workarounds are available: disable SSR via Server Routes or builder options, remove asynchronous behavior from custom bootstrap functions, eliminate usage of getPlatform() in application code, and ensure the server build defines ngJitMode as false. Angular provides automated migration schematics via ng update for versions 18, 19, and 20 (Security Online, GitHub Advisory).