👷 Update dependency @angular/common to v22.0.1 [SECURITY]#4789
Open
renovate[bot] wants to merge 1 commit into
Open
👷 Update dependency @angular/common to v22.0.1 [SECURITY]#4789renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Bundles Sizes Evolution
|
🎉 All green!🧪 All tests passed 🎯 Code Coverage (details) 🔗 Commit SHA: 4312402 | Docs | Datadog PR Page | Give us feedback! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
22.0.0→22.0.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
CVE-2025-66035 / GHSA-58c5-g7wp-6w37
More information
Details
The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.
Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (
http://orhttps://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to theX-XSRF-TOKENheader.Impact
The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.
Attack Preconditions
POST) to a protocol-relative URL (e.g.,//attacker.com) that they control.Patches
Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with
//) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single/) or fully qualified, trusted absolute URLs.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
CVE-2026-54268 / GHSA-48r7-hpm6-gfxm
More information
Details
A Denial of Service (DoS) vulnerability exists in the
@angular/commonpackage of the Angular framework. TheformatDatefunction, which is also utilized by the standard AngularDatePipe, does not properly limit or validate the length of theformatparameter.When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).
Impact
1. Server-Side Rendering (SSR)
In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a
JavaScript heap out of memorycrash, rendering the application unavailable to all users.2. Client-Side Rendering (CSR)
In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.
Patched Versions
Attack Preconditions
For this vulnerability to be exploitable, both of the following conditions must be met:
formatDateutility or theDatePipe.If the date format is hardcoded (e.g.,
'mediumDate','shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
angular/angular (@angular/common)
v22.0.1Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.(cherry picked from commit
8446e46)common
compiler
href/xlink:hrefattributes of any element of the MathML namespacecompiler-cli
core
forms
tickadditionalProperties: falseon generated WebMCP formhttp
reportUploadProgressandreportDownloadProgresson post/patch requestslanguage-service
platform-server
router
service-worker
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.