{"url":"http://public2.vulnerablecode.io/api/packages/66484?format=json","purl":"pkg:npm/%40nguniversal/common@16.1.2","type":"npm","namespace":"@nguniversal","name":"common","version":"16.1.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50355?format=json","vulnerability_id":"VCID-c849-wwtp-vkhz","summary":"Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline\nA [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain.\n\nSpecifically, the framework didn't have checks for the following:\n- **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the \"base\" of the application to an arbitrary external domain.\n- **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.\n- **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks.\n\n\nThis vulnerability manifests in two primary ways:\n\n- **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can \"steer\" these requests to an external server or internal service.\n- **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.","references":[{"reference_url":"https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/"}],"url":"https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27739","reference_id":"","reference_type":"","scores":[{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19416","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19459","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19466","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19346","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19371","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27739"},{"reference_url":"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/"}],"url":"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"},{"reference_url":"https://github.com/angular/angular-cli","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/angular/angular-cli"},{"reference_url":"https://github.com/angular/angular-cli/pull/32516","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/"}],"url":"https://github.com/angular/angular-cli/pull/32516"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27739","reference_id":"CVE-2026-27739","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27739"},{"reference_url":"https://github.com/advisories/GHSA-x288-3778-4hhx","reference_id":"GHSA-x288-3778-4hhx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x288-3778-4hhx"},{"reference_url":"https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx","reference_id":"GHSA-x288-3778-4hhx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/"}],"url":"https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"}],"fixed_packages":[],"aliases":["CVE-2026-27739","GHSA-x288-3778-4hhx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c849-wwtp-vkhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58140?format=json","vulnerability_id":"VCID-mt1f-kgen-7yeb","summary":"Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage\nAngular uses a DI container (the \"platform injector\") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.\n\nIn practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.\n\nThe following APIs were vulnerable and required SSR-only breaking changes:\n\n* `bootstrapApplication`: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit `BootstrapContext` in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.\n* `getPlatform`: This function previously returned the last platform instance that was created. It now always returns `null` in a server environment.\n* `destroyPlatform`: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.\n\nFor `bootstrapApplication`, the framework now provides a new argument to the application's bootstrap function:\n\n```ts\n// Before:\nconst bootstrap = () => bootstrapApplication(AppComponent, config);\n\n// After:\nconst bootstrap = (context: BootstrapContext) =>\nbootstrapApplication(AppComponent, config, context);\n```\n\nAs is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:\n\n```sh","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59052.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59052.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59052","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22394","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23985","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24091","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24038","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.2398","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59052"},{"reference_url":"https://github.com/angular/angular","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/angular/angular"},{"reference_url":"https://github.com/angular/angular-cli/pull/31108","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-10T20:24:52Z/"}],"url":"https://github.com/angular/angular-cli/pull/31108"},{"reference_url":"https://github.com/angular/angular/pull/63562","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-10T20:24:52Z/"}],"url":"https://github.com/angular/angular/pull/63562"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394458","reference_id":"2394458","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394458"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59052","reference_id":"CVE-2025-59052","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59052"},{"reference_url":"https://github.com/advisories/GHSA-68x2-mx4q-78m7","reference_id":"GHSA-68x2-mx4q-78m7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-68x2-mx4q-78m7"},{"reference_url":"https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7","reference_id":"GHSA-68x2-mx4q-78m7","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-10T20:24:52Z/"}],"url":"https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7"}],"fixed_packages":[],"aliases":["CVE-2025-59052","GHSA-68x2-mx4q-78m7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mt1f-kgen-7yeb"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45804?format=json","vulnerability_id":"VCID-z423-65xx-8ydx","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @nguniversal/common.","references":[{"reference_url":"https://github.com/angular/universal","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/angular/universal"},{"reference_url":"https://github.com/advisories/GHSA-r3hf-q8q7-fv2p","reference_id":"GHSA-r3hf-q8q7-fv2p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r3hf-q8q7-fv2p"},{"reference_url":"https://github.com/angular/universal/security/advisories/GHSA-r3hf-q8q7-fv2p","reference_id":"GHSA-r3hf-q8q7-fv2p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/angular/universal/security/advisories/GHSA-r3hf-q8q7-fv2p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66484?format=json","purl":"pkg:npm/%40nguniversal/common@16.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c849-wwtp-vkhz"},{"vulnerability":"VCID-mt1f-kgen-7yeb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nguniversal/common@16.1.2"}],"aliases":["GHSA-r3hf-q8q7-fv2p","GMS-2023-1874"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z423-65xx-8ydx"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nguniversal/common@16.1.2"}