Update dependency @angular/common to v19.2.23 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	19.1.7 → 19.2.23

---

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

CVE-2025-66035 / GHSA-58c5-g7wp-6w37

More information

Details

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

1. The victim's Angular application must have XSRF protection enabled.
2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

• 19.2.16
• 20.3.14
• 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
• https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
• https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
• https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
• https://github.com/angular/angular/releases/tag/19.2.16
• https://github.com/angular/angular/releases/tag/20.3.14
• https://github.com/angular/angular/releases/tag/21.0.1
• https://nvd.nist.gov/vuln/detail/CVE-2025-66035
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html
• https://cert-portal.siemens.com/productcert/html/ssa-485750.html
• https://github.com/advisories/GHSA-58c5-g7wp-6w37

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

CVE-2026-50170 / GHSA-q6f4-qqrg-jv6x

More information

Details

A vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState.

However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability.

Impact

Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when:

• The SSR-rendered HTML containing the cached private data is stored in a shared cache (e.g., CDN, reverse proxy).
• Subsequent requests for the same page receive the cached HTML containing the first user's private data.

Attack Preconditions

• SSR and Hydration Enabled: The Angular application must be configured to use Server-Side Rendering and hydration (e.g., using provideClientHydration()).
• Credentialed Requests during SSR: The application must perform HTTP requests that require user-specific authentication (using cookies or withCredentials: true) during the initial server-side render.
• Shared Caching: The application's HTML responses must be cached by a shared caching layer (CDN, reverse proxy, or server-side cache) without proper cache-control headers to distinguish authenticated users.

Patches

• 22.0.0-rc.2
• 21.2.15
• 20.3.22
• 19.2.23

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x
• https://github.com/angular/angular/pull/67964
• https://github.com/advisories/GHSA-q6f4-qqrg-jv6x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

CVE-2026-50171 / GHSA-p3vc-36g9-x9gr

More information

Details

A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits.

When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.

Impact

Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):

• Server-Side Rendering (SSR): In applications using SSR (e.g., @angular/ssr), an attacker can crash the Node.js server process due to a JavaScript heap out of memory error. This affects the availability of the application for all users.
• Client-Side Rendering (CSR): In standard client-side applications, the unbounded loop will block the main thread, freezing the user's browser tab and making it unresponsive.

Attack Preconditions

For this vulnerability to be exploitable, the following conditions must be met:

1. Vulnerable Component Usage: The application must use Angular's number formatting utilities, such as the formatNumber function directly, or via template pipes (DecimalPipe, PercentPipe, CurrencyPipe).
2. Attacker-Controlled Parameter: The digitsInfo parameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). If digitsInfo is trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.

Patches

• 22.0.0-rc.2
• 21.2.15
• 20.3.22
• 19.2.23

Credits

This vulnerability was discovered and reported by CodeMender from Google DeepMind.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr
• https://github.com/angular/angular/pull/68840
• https://github.com/advisories/GHSA-p3vc-36g9-x9gr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/common)

v19.2.23

Compare Source

common

Commit	Type	Description
62dd27d6af	fix	add upper bounds for digitsInfo
17326725ba	fix	sanitize placeholder

compiler

Commit	Type	Description
932e0728db	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry
2e3d0371ab	fix	sanitize dynamic href and xlink:href bindings on SVG a elements
fe1207e8c5	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c6bb0692e2	fix	reject script element as a dynamic component host
3960b21558	fix	sanitize meta selectors
3632fa4b69	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation
620230dac4	fix	synchronize core sanitization schema with compiler
d31f84116c	fix	wrap i18n dynamic element property updates in active index states

http

Commit	Type	Description
9940ffd781	fix	exclude withCredentials requests from transfer cache
0f67f0b962	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
d187e8aeda	fix	normalize path parsing in ServerPlatformLocation
c75f60ef8a	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
37ee9ffd9e	fix	preserve redirect policy on reconstructed asset requests
97f796203f	fix	Preserves explicit 'credentials: omit' in asset requests
5619120931	fix	Preserves HTTP cache mode in asset group requests

v19.2.22

Compare Source

core

Commit	Type	Description
83a640516f	fix	disallow event attribute bindings in host bindings unconditionally (#​68469)
24a0103a98	fix	validate security-sensitive attributes in i18n bindings (#​68469)

platform-server

Commit	Type	Description
8569db8875	fix	add allowedHosts option to renderModule and renderApplication
837a710217	fix	ensure origin has a trailing slash when parsing url (#​68469)

v19.2.21

Compare Source

platform-server

Commit	Type	Description
f3a5bfb949	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

v19.2.20

Compare Source

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

v19.2.19

Compare Source

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204)

core

Commit	Type	Description
747548721d	fix	block creation of sensitive URI attributes from ICU messages

v19.2.18

Compare Source

core

Commit	Type	Description
26cdc53d9c	fix	sanitize sensitive attributes on SVG script elements

v19.2.17

Compare Source

compiler

Commit	Type	Description
7c42e2ebeb	fix	prevent XSS via SVG animation attributeName and MathML/SVG URLs

v19.2.16

Compare Source

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler

Commit	Type	Description
24bab55f0c	fix	lexer support for template literals in object literals (#​61601)

migrations

Commit	Type	Description
9e1cd49662	fix	preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common

Commit	Type	Description
2c876b4fc5	fix	avoid injecting ApplicationRef in FetchBackend (#​61649)

service-worker

Commit	Type	Description
b15bddfa04	fix	do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#​61528)
efda872453	fix	prevent reading chunks if app is destroyed (#​61354)

compiler

Commit	Type	Description
44bb328eae	fix	avoid conflicts between HMR code and local symbols (#​61550)

compiler-cli

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#​61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#​61227)

core

Commit	Type	Description
2b1b14f4d3	fix	cleanup rxResource abort listener (#​58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#​61261)
eb53bda470	fix	enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc	fix	unregister onDestroy in toSignal. (#​61514)

platform-server

Commit	Type	Description
8edafd0559	perf	speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common

Commit	Type	Description
89056a0356	fix	cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)

core

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#​61056)

platform-server

Commit	Type	Description
a6f0d5bc20	fix	less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#​61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms

Commit	Type	Description
ea4a211216	fix	make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common

Commit	Type	Description
37ab6814f5	fix	issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)

core

Commit	Type	Description
b144126612	fix	inject migration: replace param with this. (#​60713)

http

Commit	Type	Description
d39e09da41	fix	Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler

Commit	Type	Description
3441f7b914	fix	error if rawText isn't estimated correctly (#​60529) (#​60753)

compiler-cli

Commit	Type	Description
fc946c5f72	fix	ensure HMR works with different output module type (#​60797)

core

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#​60764)
f2bfa3151e	fix	fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#​60776)

language-service

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#​60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit	Type	Description
e61d06afb5	fix	step 6 tutorial docs (#​60630)

animations

Commit	Type	Description
fa48f98d9f	fix	add missing peer dependency on @angular/common (#​60660)

compiler

Commit	Type	Description
ca5aa4d55b	fix	throw for invalid "as" expression in if block (#​60580)

compiler-cli

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4	fix	support relative imports to symbols outside rootDir (#​60555)

core

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#​60565)
8f68d1bec3	fix	fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65	fix	fix regexp for event types (#​60592)
006ac7f22f	fix	fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434	fix	preserve comments in internal inject migration (#​60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#​60571)

language-service

Commit	Type	Description
0e9e0348dd	fix	Update adapter to log instead of throw errors (#​60651)

migrations

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#​60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#​60602)

router

Commit	Type	Description
958e98e4f7	fix	Add missing types to transition (#​60307)

service-worker

Commit	Type	Description
7cd89ad2c6	fix	assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core

Commit	Type	Description
081f5f5a83f	fix	fix used templates are not deleted (#​60459)

localize

Commit	Type	Description
a2f622d82d6	fix	handle @​angular/build:karma in ng add (#​60513)

platform-browser

| Commit

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.