Update security to v19 [SECURITY] (release/v5.4) (major) by renovate-rancher[bot] · Pull Request #1235 · neuvector/manager

renovate-rancher · 2026-06-01T06:16:54Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	`14.3.0` → `19.2.16`
@angular/compiler (source)	`14.3.0` → `19.0.0`
@angular/core (source)	`14.3.0` → `19.0.0`

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

CVE-2025-66035 / GHSA-58c5-g7wp-6w37

More information

Details

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

The victim's Angular application must have XSRF protection enabled.
The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

19.2.16
20.3.14
21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Severity

CVSS Score: 7.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

CVE-2026-22610 / GHSA-jrmj-c5cx-3cw6

More information

Details

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

The victim application must explicitly use SVG <script> elements within its templates.
The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

19.2.18
20.3.16
21.0.7
21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

https://github.com/angular/angular/pull/66318

Severity

CVSS Score: 8.5 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

CVE-2025-66412 / GHSA-v4hv-rgfq-gp49

More information

Details

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts.

Additionally, a related vulnerability exists involving SVG animation elements (<animate>, <set>, <animateMotion>, <animateTransform>). The attributeName attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like href or xlink:href on other elements. By binding attributeName to "href" and providing a javascript: URL in the values or to attribute, an attacker could bypass sanitization and execute arbitrary code.

Attributes confirmed to be vulnerable include:

SVG-related attributes: (e.g., xlink:href), and various MathML attributes (e.g., math|href, annotation|href).
SVG animation attributeName attribute when bound to "href" or "xlink:href".

When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., [attr.xlink:href]="maliciousURL" or <animate [attributeName]="'href'" [values]="maliciousURL">), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a javascript:URL payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

Session Hijacking: Stealing session cookies and authentication tokens.
Data Exfiltration: Capturing and transmitting sensitive user data.
Unauthorized Actions: Performing actions on behalf of the user.

Patches

19.2.17
20.3.15
21.0.2

Attack Preconditions

The victim's Angular application must render data derived from untrusted input (e.g., from a database or API) and bind it to one of the unsanitized URL attributes or the attributeName of an SVG animation element.
The victim must perform a user interaction (e.g., clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.

Workarounds

If you cannot upgrade, you can workaround the issue by ensuring that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters).

Avoid Affected Template Bindings: Specifically avoid using template bindings (e.g., [attr.xlink:href]="maliciousURL") to assign untrusted data to the vulnerable SVG/MathML attributes.
Avoid Dynamic attributeName on SVG Animations: Do not bind untrusted data to the attributeName attribute of SVG animation elements (<animate>, <set>, etc.).
Enable Content Security Policy (CSP): Configure a robust CSP header that disallows javascript: URLs.

Severity

CVSS Score: 8.5 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Angular i18n vulnerable to Cross-Site Scripting

CVE-2026-27970 / GHSA-prjf-86w9-mfqv

More information

Details

A Cross-site Scripting (XSS) vulnerability has been identified in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript.

Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user.

If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript.

Impact

When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to:

Credential Exfiltration: Stealing sensitive user data stored in page memory, LocalStorage, IndexedDB, or cookies available to JS and sending them to an attacker controlled server.
Page Vandalism: Mutating the page to read or act differently than intended by the developer.

Attach Preconditions

The attacker must compromise the translation file (xliff, xtb, etc.).
Unlike most XSS vulnerabilities, this one is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client.
The victim application must use Angular i18n.
The victim application must use one or more ICU messages.
The victim application must render an ICU message.
The victim application must not defend against XSS via a safe Content-Security Policy (CSP) or Trusted Types.

Patches

21.2.0
21.1.6
20.3.17
19.2.19

Workarounds

Until the patch is applied, developers should consider:

Reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application.
Enabling strict CSP controls to block unauthorized JavaScript from executing on the page.
Enabling Trusted Types to enforce proper HTML sanitization.

References

Fix

Severity

CVSS Score: 7.0 / 10 (High)
Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@angular/common)

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#61528)
efda872453	fix	prevent reading chunks if app is destroyed (#61354)

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#61227)

Commit	Type	Description
2b1b14f4d3	fix	cleanup `rxResource` abort listener (#58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#61261)
eb53bda470	fix	enable stashing only when `withEventReplay()` is invoked (#61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#61376)
c0c69a5abc	fix	unregister `onDestroy` in `toSignal`. (#61514)

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#61056)

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#61063)

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#60764)
f2bfa3151e	fix	fix ng generate @angular/core:output-migration. Fixes angular#58650 (#60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#60776)

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#60597)

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#60376)
22a0e54ac4	fix	support relative imports to symbols outside `rootDir` (#60555)

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#60565)
8f68d1bec3	fix	fix ng generate @angular/core:output-migration (#60626)
bc79985c65	fix	fix regexp for event types (#60592)
006ac7f22f	fix	fixes #592882 ng generate @angular/core:signal-queries-migration (#60688)
da6e93f434	fix	preserve comments in internal inject migration (#60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#60571)

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#60602)

Commit	Type	Description
13a8709b2b	fix	catch hydration marker with implicit body tag (#60429)
296aded9da	fix	execute timer trigger outside zone (#60392)
0615ffb4f7	fix	include input name in error message (#60404)

Conversation

renovate-rancher Bot commented Jun 1, 2026

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

Details

Impact

Attack Preconditions

Patches

Workarounds

Severity

References

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Details

Impact

Attack Preconditions

Patches

Workarounds

Resources

Severity

References

Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

Details

Impact

Patches

Attack Preconditions

Workarounds

Severity

References

Angular i18n vulnerable to Cross-Site Scripting

Details

Impact

Attach Preconditions

Patches

Workarounds

References

Severity

References

Release Notes

http

Breaking Changes

core

core

compiler

migrations

common

service-worker

common

compiler

compiler-cli

core

platform-server

common

core

platform-server

core

forms

common

core

http

compiler

compiler-cli

core

language-service

animations

compiler

compiler-cli

core

language-service

migrations

router

service-worker

core

localize

platform-browser

compiler-cli

core

platform-browser-dynamic

upgrade

compiler

Configuration

Uh oh!