Server-Side Rendering Data Leakage in Angular Development Platform
CVE-2025-59052

7.1HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
10 September 2025

What is CVE-2025-59052?

Angular, a platform for mobile and desktop web application development, has revealed a vulnerability in its server-side rendering (SSR) component. The issue stems from the platform injector, which is designed to store request-specific states. During concurrent processing, requests might inadvertently share global injector states, leading to potential data leaks. Attackers with network access could exploit this by sending multiple requests and analyzing the responses to extract sensitive information associated with other requests. Google has patched the affected versions and recommends disabling SSR or modifying the bootstrap functions and application code to mitigate risks.

Affected Version(s)

angular @angular/platform-server >= 16.0.0-next.0, < 18.2.14 < @angular/platform-server 16.0.0-next.0, 18.2.14

angular @angular/platform-server >= 20.0.0-next.0, < 20.3.0 < @angular/platform-server 20.0.0-next.0, 20.3.0

angular @angular/platform-server >= 19.0.0-next.0, < 19.2.15 < @angular/platform-server 19.0.0-next.0, 19.2.15

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular-cli/pull/31108
x_refsource_MISC
https://github.com/angular/angular/pull/63562
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-59052 : Server-Side Rendering Data Leakage in Angular Development Platform