Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xp29-gqf1-hyg6
Vulnerability ID VCID-xp29-gqf1-hyg6
Aliases GMS-2016-73
Summary Bypass CSP protection Extension URIs (`resource://...`) bypass ````Content-Security-Policy```` in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacked can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/angular/angular.js/commit/0ff10e1b56c6b7c4ac465e35c96a5886e294bac5
https://github.com/angular/angular.js/commit/6ce2913d99bb0dade6027ba9733295d0aa13b242
https://github.com/angular/angular.js/commit/a649758655843275cc477fb638f8e55f72a4eaa6
https://github.com/angular/angular.js/commit/ebe90051eda8a3328e5993cca1663e28d03113d0
https://github.com/mozilla/addons-linter/issues/1000
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T15:39:31.876422+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/angular/GMS-2016-73.yml 38.6.0