CVE-2025-59052
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data LeakageAngular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
We have discovered 7,386 live websites that are affected by CVE-2025-59052.
Affected Software
| Product |  Angular |
| Category | Web Application Frameworks |
| Vulnerable Domains | 7,386 live websites (29% of Angular install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 108 versions ( 26% of all versions) |
Common Weakness Enumeration
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')Details
- Published - Sep 10, 2025
- Updated - Sep 10, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-59052 United States | 3,113 websites |
 Germany | 1,172 websites |
 France | 274 websites |
 Russia | 231 websites |
 Belgium | 212 websites |
 GB | 193 websites |
 Brazil | 192 websites |
 India | 128 websites |
 Sweden | 124 websites |
 Italy | 110 websites |
Website Distribution by TLD
Number of websites using CVE-2025-59052| .com | 2,505 websites |
| .de | 886 websites |
| .org | 284 websites |
| .be | 256 websites |
| .ru | 215 websites |
| .fr | 193 websites |
| .ch | 185 websites |
| .co.uk | 142 websites |
| .net | 141 websites |
| .com.br | 137 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-59052
Top websites that are affected by CVE-2025-59052. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.org | United States | *** | |
| ************.com | United States | *,*** | |
| *************.net | United States | *,*** | |
| ***.fr | France | *,*** | |
| ***********.***.au |  Australia | *,*** | |
| *****.com | United States | *,*** | |
| ******.**.jp |  Japan | *,*** | |
| ******************.info | GB | *,*** | |
| **********.com | United States | *,*** | |
| ************.com | United States | *,*** |
FAQ
CVE-2025-59052 is Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in Angular
A total of 7,386 websites have been identified as vulnerable to CVE-2025-59052, based on global website indexing conducted by WebTechSurvey.
The Angular is affected by the CVE-2025-59052 vulnerability.
Angular versions up to and including 21 are vulnerable to CVE-2025-59052.