SCA: security update for @angular/platform-server, @angular/ssr (GHSA-68x2-mx4q-78m7)

high Tenable Self-Hosted Container Security Plugin ID 435253

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Angular is a development platform for building mobile and desktop web applications using
TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold
request-specific state during server-side rendering. For historical reasons, the container was stored as a
JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could
inadvertently share or overwrite the global injector state. In practical terms, this can lead to one
request responding with data meant for a completely different request, leaking data or tokens included on
the rendered page or in response headers. As long as an attacker had network access to send any traffic
that received a rendered response, they may have been able to send a large number of requests and then
inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and
`destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in
all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-
server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and
18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any
asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application
code, and/or ensure that the server build defines `ngJitMode` as false. (CVE-2025-59052)

See Also

https://github.com/advisories/GHSA-68x2-mx4q-78m7

Plugin Details

Severity: High

ID: 435253

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 9/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-59052

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/10/2025

Vulnerability Publication Date: 9/10/2025

Reference Information

CVE: CVE-2025-59052

cwe: CWE-362