Angular Platform Server and SSR Data Leakage Vulnerability

A race condition vulnerability has been identified in Angular's server-side rendering (SSR) process, specifically within the platform injector that manages request-specific state. This vulnerability, present in versions 16.0.0-next.0 prior to 18.2.14, 20.0.0-next.0 prior to 20.3.0, 19.0.0-next.0 prior to 19.2.15, and 21.0.0-next.0 prior to 21.0.0-next.3, can lead to cross-request data leakage. When multiple requests are handled simultaneously, they may unintentionally share or overwrite the global injector state, causing one request to receive data intended for another. This could result in the unintentional disclosure of data or tokens included in the rendered page or response headers. An attacker with network access could exploit this by sending numerous requests and analyzing the responses for leaked information.

Impact

Exploitation of this vulnerability could allow for unauthorized data access, with one request potentially receiving data intended for a different request, including sensitive information or tokens.

Reproduction

To reproduce this vulnerability, send multiple concurrent requests to a server using an affected version of Angular with SSR enabled. The global platform injector may inadvertently share or overwrite state between requests, leading to data leakage.

Remediation

The vulnerability has been patched in all active release lines, including version 21.0.0-next.3. Instructions for updating to the patched versions are available in the Angular documentation.