Server-Side Rendering Data Leakage in Angular Development Platform
CVE-2025-59052

7.1HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
10 September 2025

What is CVE-2025-59052?

CVE-2025-59052 is a vulnerability found in the Angular Development Platform, which is widely used for creating web applications across mobile and desktop environments using TypeScript and JavaScript. This specific vulnerability relates to the handling of server-side rendering (SSR) state through the platform's dependency injection (DI) container. Because this container is stored as a global variable, concurrent requests can unintentionally share or overwrite its state, leading to potential data leakage. The vulnerability allows for the possibility of one request returning data meant for another, which could include sensitive information like tokens or application data. This situation could have severe repercussions, particularly in multi-user environments where various requests are processed simultaneously, risking exposure of sensitive user data to unauthorized parties.

Potential impact of CVE-2025-59052

  1. Data Leakage: The most pressing impact of this vulnerability is the potential leakage of sensitive data across user sessions. An attacker with network access could exploit the flaw to send multiple requests and gain access to response data meant for other users, leading to significant privacy violations.

  2. Session Confusion: The sharing of state between requests can lead to session confusion, where users may inadvertently receive data from another user's session. This could facilitate unauthorized access to personal information, affecting user trust and the integrity of the application.

  3. Increased Attack Surface: The vulnerability increases the surface area for potential attacks. If exploited, it could enable attackers to perform further malicious activities, such as token theft or impersonation, by leveraging the leaked data for session hijacking or escalating privilege access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

angular @angular/platform-server >= 16.0.0-next.0, < 18.2.14 < @angular/platform-server 16.0.0-next.0, 18.2.14

angular @angular/platform-server >= 20.0.0-next.0, < 20.3.0 < @angular/platform-server 20.0.0-next.0, 20.3.0

angular @angular/platform-server >= 19.0.0-next.0, < 19.2.15 < @angular/platform-server 19.0.0-next.0, 19.2.15

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular-cli/pull/31108
x_refsource_MISC
https://github.com/angular/angular/pull/63562
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.