Update dependency @angular/ssr to v19 [SECURITY] by renovate-bot · Pull Request #56 · GoogleCloudPlatform/customer-experience-modernization

renovate-bot · 2025-09-10T23:23:23Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	`^17.0.3` → `^19.0.0`

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @&#8203;angular/cli @&#8203;angular/core

# For apps on Angular v19:
ng update @&#8203;angular/cli@19 @&#8203;angular/core@19

# For apps on Angular v18:
ng update @&#8203;angular/cli@18 @&#8203;angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @&#8203;angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @&#8203;angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @&#8203;angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

@angular/platform-server: 21.0.0-next.3
@angular/platform-server: 20.3.0
@angular/platform-server: 19.2.15
@angular/platform-server: 18.2.14
@angular/ssr: 21.0.0-next.3
@angular/ssr: 20.3.0
@angular/ssr: 19.2.16
@angular/ssr: 18.2.21

Workarounds

Disable SSR via Server Routes (v19+) or builder options.
Remove any asynchronous behavior from custom bootstrap functions.
Remove uses of getPlatform() in application code.
Ensure that the server build defines ngJitMode as false.

References

CVE-2026-27739

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.

Specifically, the framework didn't have checks for the following:

Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.

This vulnerability manifests in two primary ways:

Implicit Relative URL Resolution: Angular's HttpClient resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service.
Explicit Manual Construction: Developers injecting the REQUEST object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the Host / X-Forwarded-* headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.

Impact

When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:

Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.

Attack Preconditions

The victim application must use Angular SSR (Server-Side Rendering).
The application must perform HttpClient requests using relative URLs OR manually construct URLs using the unvalidated Host / X-Forwarded-* headers using the REQUEST object.
Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.

Patches

21.2.0-rc.1
21.1.5
20.3.17
19.2.21

Workarounds

Use Absolute URLs: Avoid using req.headers for URL construction. Instead, use trusted variables for your base API paths.
Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your server.ts to enforce numeric ports and validated hostnames.

const ALLOWED_HOSTS = new Set(['your-domain.com']);

app.use((req, res, next) => {
  const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
  const portHeader = req.headers['x-forwarded-port']?.toString();

  if (hostHeader) {
    const hostname = hostHeader.split(':')[0];
    // Reject if hostname contains path separators or is not in allowlist
    if (/^[a-z0-9.:-]+$/i.test(hostname) || 
       (!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
      return res.status(400).send('Invalid Hostname');
    }
  }

  // Ensure port is strictly numeric if provided
  if (portHeader && !/^\d+$/.test(portHeader)) {
    return res.status(400).send('Invalid Port');
  }

  next();
});

References

Fix
Docs

Release Notes

angular/angular-cli (@angular/ssr)

Commit	Type	Description
288e22816	fix	prevent open redirect via X-Forwarded-Prefix header
2a72d7483	fix	validate host headers to prevent header-based SSRF

Commit	Type	Description
a3504fd45	fix	HMR requires AOT do not show HMR enabled when using JIT
5ce9f96a4	fix	include full metadata for AOT unit-testing

Commit	Type	Description
cba66a85c	fix	avoid attempting to watch bundler internal files
009fc3776	fix	avoid internal karma request cache for assets
b43da3949	perf	fix unnecessary esbuild rebuilds

Commit	Type	Description
4a8a4a083	fix	include `module` value check when adding custom conditions
00cd0d123	fix	prevent nested CSS in components
a297c4153	fix	properly resolve transitive external dependencies in vite-dev-server
8ab033e8e	fix	update vite to 6.2.6

Commit	Type	Description
7f1e8c677	fix	include component test metadata in development builds
74cd4edd5	fix	skip normalization of relative externals

Commit	Type	Description
76cfd364a	fix	correctly handle `false` value in server option
d69188c6b	fix	update vite to 6.2.4 due to a security issues

Commit	Type	Description
20455e2a6	fix	correct handling of response/request errors
32b1dcd91	fix	handle undefined `getOrCreateAngularServerApp` during error compilation
7552a9fec	fix	normalize karma asset paths before lookup
1eb5b4357	fix	update vite to 6.2.3

Commit	Type	Description
b0b643e46	fix	ensure errors for missing component resources
2cd763e89	fix	ensure relative karma stack traces for test failures

Commit	Type	Description
4575265f0	fix	exclude all entrypoints of a library from prebundling
83fcffbb7	fix	handle postcss compilation errors gracefully
78297ee47	fix	provide `extract-i18n` does not respect
b18b9c8f2	fix	remove duplicate prebundling warning

Commit	Type	Description
fe8d83a1f	fix	add additional checks for application builder usage
adf4ea5d4	fix	remove animations module from ng new app

Commit	Type	Description
ef7ea536f	feat	add aot option to jest
523d539c6	feat	add aot option to karma
a00a49a65	feat	add aot to WTR schema
2bae1a9c0	fix	support aot option for karma browser builder

Commit	Type	Description
11fab9c7d	feat	add application builder karma testing to package
a5fcf8044	fix	provide karma stack trace sourcemap support
964fb778b	fix	support per component updates of multi-component files
f836be9e6	fix	support Vite `allowedHosts` option for development server
0ddf6aafa	fix	utilize bazel stamp instead of resolving peer dependency versions

Commit	Type	Description
f76cee637	fix	correctly parse and resolve relative schematic collection names on Windows
ceba7739c	fix	prefer installed package as fallback when listing package groups

Commit	Type	Description
2f60a24dd	fix	suppress asset missing warning for `/index.html` requests
b8f7952b7	fix	update critical CSS inlining to support `autoCsp`

Commit	Type	Description
8890a5f76	fix	always provide Vite client helpers with development server
df1d38846	fix	configure Vite CORS option
a13a49d95	fix	exclude unmodified files from logs with `--localize`
0826315fa	fix	handle unlocalizable files correctly in localized prerender
d2e1c8e9f	perf	cache translated i18n bundles for faster builds

Commit	Type	Description
f5d974576	fix	accurately calculate content length for static pages with `\r\n`
c26ea1619	fix	properly handle baseHref with protocol

Commit	Type	Description
3f7042672	fix	remove additional newline after standalone property
e9778dba0	fix	skip ssr migration when `@angular/ssr` is not a dependency

Commit	Type	Description
27f833186	fix	avoid pre-transform errors with Vite pre-bundling
8f6ee7ed9	fix	ensure full rebuild after initial error build in watch mode
2b9c00f68	fix	prevent fallback to serving main.js for unknown requests
45abd15b7	fix	prevent server manifest generation when no server features are enabled

Commit	Type	Description
d53d25fc1	fix	allow tailwindcss 4.x as a peer dependency
bd9d379f0	fix	disable TypeScript `removeComments` option
e73e9102e	fix	handle empty module case to avoid TypeError
bb413456e	fix	keep background referenced HMR update chunks
2011d3428	fix	support template updates that also trigger global stylesheet changes
688019946	fix	update vite to version 6.0.11

Commit	Type	Description
94643d54d	fix	enhance dynamic route matching for better performance and accuracy
747557aa0	fix	redirect to locale pathname instead of full URL
bbbc1eb7a	fix	rename `provideServerRoutesConfig` to `provideServerRouting`

Commit	Type	Description
ff8192a35	fix	correct path for `/@ng/components` on Windows
14d2f7ca0	fix	include extracted routes in the manifest during prerendering
c87a38f5b	fix	only issue invalid i18n config error for duplicate `subPaths` with inlined locales
d50788cf9	fix	replace deprecation of `i18n.baseHref` with a warning

Commit	Type	Description
bcc5fab75	fix	prevent route matcher error when SSR routing is not used
9bacf3981	fix	properly manage catch-all routes with base href
59c757781	fix	unblock route extraction with `withEnabledBlockingInitialNavigation`

Commit	Type	Description
7d8c34172	fix	allow asset changes to reload page on incremental updates
9fa29af37	fix	handle relative `@ng/components`
c4de34703	fix	perform full reload for templates with `$localize` usage

Conversation

renovate-bot commented Sep 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Impact

Attack Preconditions

Patches

Workarounds

References

Release Notes

Breaking Changes

Configuration

Uh oh!

forking-renovate bot commented Sep 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: genai-for-marketing/frontend/package-lock.json

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate-bot commented Sep 10, 2025 •

edited

Loading

forking-renovate bot commented Sep 10, 2025 •

edited

Loading

Commit	Type	Description
939d1612a	fix	perform incremental background file updates with component updates
304027207	fix	prevent full page reload on HMR updates with SSR enabled
148acbd58	fix	reset component updates on dev-server index request