CVE-2025-59052: 
JavaScript vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-59052) has been identified in Angular's server-side rendering (SSR) feature, with a CVSS score of 7.1. The vulnerability stems from a global platform injector race condition in Angular's dependency injection system that could lead to cross-request data leakage. The flaw affects Angular versions from 16.0.0-next.0 up to versions prior to 18.2.14, 19.2.15, 20.3.0, and 21.0.0-next.3 in the @angular/platform-server, @angular/ssr, and @nguniversal/common packages (Angular Advisory).

The vulnerability occurs because Angular's SSR uses a DI container (platform injector) to hold request-specific state, which was historically stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. The issue affects several APIs including bootstrapApplication, getPlatform, and destroyPlatform, which previously relied on the global platform injector state (Security Online, Angular Advisory).

The vulnerability can lead to one request responding with data meant for a completely different request, potentially leaking sensitive data, tokens, or headers included in the rendered page. Any attacker with network access to send requests that receive rendered responses could potentially exploit this flaw by sending multiple requests and inspecting the responses for information leaks (Angular Advisory).

The issue has been patched in all active release lines with versions @angular/platform-server 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14, and @angular/ssr 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. For those unable to update immediately, several workarounds are available: disable SSR via Server Routes or builder options, remove asynchronous behavior from custom bootstrap functions, eliminate usage of getPlatform() in application code, and ensure the server build defines ngJitMode as false (Angular Advisory).