Vulnerability DatabaseGHSA-r3hf-q8q7-fv2p

GHSA-r3hf-q8q7-fv2p:
JavaScript vulnerability analysis and mitigation

Overview

A high-severity Cross-site Scripting (XSS) vulnerability was discovered in Angular Universal applications using critical CSS inlining, affecting versions 16.1.0 and 16.1.1 of @nguniversal/common npm package. The vulnerability was disclosed on August 8, 2023, and was assigned the identifier GHSA-r3hf-q8q7-fv2p. This security issue allows attackers to execute malicious JavaScript by tricking users into visiting specially crafted pages (GitHub Advisory).

Technical details

The vulnerability specifically affects the critical CSS inlining functionality in Angular Universal applications. While Angular CLI applications without Universal also perform critical CSS inlining, exploitation in those cases would require direct access to modify source code. The vulnerability is classified with CWE-79 (Cross-site Scripting) and has been assigned a high severity rating (Angular Universal Advisory).

Impact

When exploited, this vulnerability allows attackers to perform cross-site scripting attacks by injecting malicious JavaScript code. The attack vector involves tricking users into visiting compromised pages, potentially leading to unauthorized code execution in the context of the victim's browser (GitHub Advisory).

Mitigation and workarounds

Users are advised to upgrade @nguniversal/common to version 16.1.2 or higher, as this version contains the security fix. Alternatively, users can either downgrade to version 16.0.x or lower, or override the critters dependency with version 0.0.20 in their package.json using the following configuration: { "overrides": { "critters": "0.0.20" } } (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-65959	HIGH	8.7	JavaScript	open-webui	No	Yes	Dec 04, 2025
CVE-2025-66032	HIGH	8.7	JavaScript	@anthropic-ai/claude-code	No	Yes	Dec 03, 2025
CVE-2025-65945	HIGH	7.5	JavaScript	jws	No	Yes	Dec 04, 2025
CVE-2025-66404	MEDIUM	6.4	JavaScript	mcp-server-kubernetes	No	Yes	Dec 03, 2025
CVE-2025-66479	LOW	1.8	JavaScript	@anthropic-ai/sandbox-runtime	No	Yes	Dec 04, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-r3hf-q8q7-fv2p: JavaScript vulnerability analysis and mitigation