Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
We have discovered 7,386 live websites that are affected by CVE-2025-59052.
| Product | |
| Category | Web Application Frameworks |
| Vulnerable Domains | 7,386 live websites (29% of Angular install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 108 versions ( 26% of all versions) |
| 3,113 websites | |
| 1,172 websites | |
| 274 websites | |
| 231 websites | |
| 212 websites | |
| 193 websites | |
| 192 websites | |
| 128 websites | |
| 124 websites | |
| 110 websites |
| .com | 2,505 websites |
| .de | 886 websites |
| .org | 284 websites |
| .be | 256 websites |
| .ru | 215 websites |
| .fr | 193 websites |
| .ch | 185 websites |
| .co.uk | 142 websites |
| .net | 141 websites |
| .com.br | 137 websites |
| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.org | *** | ||
| ************.com | *,*** | ||
| *************.net | *,*** | ||
| ***.fr | *,*** | ||
| ***********.***.au | *,*** | ||
| *****.com | *,*** | ||
| ******.**.jp | *,*** | ||
| ******************.info | *,*** | ||
| **********.com | *,*** | ||
| ************.com | *,*** |
FAQ