fix(deps): update dependency @angular/compiler to v19.2.17 [security]

Open renovate[bot] opened this issue 1 month ago • 0 comments

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	`17.3.12` -> `19.2.17`
@angular/compiler (source)	`19.2.8` -> `19.2.17`

GitHub Vulnerability Alerts

CVE-2025-66412

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts.

Additionally, a related vulnerability exists involving SVG animation elements (<animate>, <set>, <animateMotion>, <animateTransform>). The attributeName attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like href or xlink:href on other elements. By binding attributeName to "href" and providing a javascript: URL in the values or to attribute, an attacker could bypass sanitization and execute arbitrary code.

Attributes confirmed to be vulnerable include:

SVG-related attributes: (e.g., xlink:href), and various MathML attributes (e.g., math|href, annotation|href).
SVG animation attributeName attribute when bound to "href" or "xlink:href".

When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., [attr.xlink:href]="maliciousURL" or <animate [attributeName]="'href'" [values]="maliciousURL">), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a javascript:URL payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

Session Hijacking: Stealing session cookies and authentication tokens.
Data Exfiltration: Capturing and transmitting sensitive user data.
Unauthorized Actions: Performing actions on behalf of the user.

Patches

19.2.17
20.3.15
21.0.2

Attack Preconditions

The victim's Angular application must render data derived from untrusted input (e.g., from a database or API) and bind it to one of the unsanitized URL attributes or the attributeName of an SVG animation element.
The victim must perform a user interaction (e.g., clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.

Workarounds

If you cannot upgrade, you can workaround the issue by ensuring that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters).

Avoid Affected Template Bindings: Specifically avoid using template bindings (e.g., [attr.xlink:href]="maliciousURL") to assign untrusted data to the vulnerable SVG/MathML attributes.
Avoid Dynamic attributeName on SVG Animations: Do not bind untrusted data to the attributeName attribute of SVG animation elements (<animate>, <set>, etc.).
Enable Content Security Policy (CSP): Configure a robust CSP header that disallows javascript: URLs.

Release Notes

angular/angular (@angular/compiler)

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#61528)
efda872453	fix	prevent reading chunks if app is destroyed (#61354)

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#61227)

Commit	Type	Description
2b1b14f4d3	fix	cleanup `rxResource` abort listener (#58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#61261)
eb53bda470	fix	enable stashing only when `withEventReplay()` is invoked (#61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#61376)
c0c69a5abc	fix	unregister `onDestroy` in `toSignal`. (#61514)

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#61056)

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#61063)

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#60764)
f2bfa3151e	fix	fix ng generate @angular/core:output-migration. Fixes angular#58650 (#60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#60776)

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#60597)

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#60376)
22a0e54ac4	fix	support relative imports to symbols outside `rootDir` (#60555)

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#60565)
8f68d1bec3	fix	fix ng generate @angular/core:output-migration (#60626)
bc79985c65	fix	fix regexp for event types (#60592)
006ac7f22f	fix	fixes #592882 ng generate @angular/core:signal-queries-migration (#60688)
da6e93f434	fix	preserve comments in internal inject migration (#60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#60571)

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#60602)

Commit	Type	Description
13a8709b2b	fix	catch hydration marker with implicit body tag (#60429)
296aded9da	fix	execute timer trigger outside zone (#60392)
0615ffb4f7	fix	include input name in error message (#60404)

Commit	Type	Description
6dc41265fd	fix	check whether application is destroyed before initializing event replay (#59789)
bb12b30d52	fix	ensures immediate trigger fires properly with lazy loaded routes (#60203)
b144dd946e	fix	fix removal of a container reference used in the component file (#60210)

Commit	Type	Description
5b20bab96d	feat	Add Skip Hydration diagnostic. (#59576)
fe8a68329b	feat	support untagged template literals in expressions (#59230)

Commit	Type	Description
2588985f43	feat	pass signal node to throwInvalidWriteToSignalErrorFn (#59600)
168516462a	feat	support default value in `resource()` (#59655)
bc2ad7bfd3	feat	support streaming resources (#59573)
146ab9a76e	feat	support TypeScript 5.8 (#59830)
6c92d65349	fix	add `hasValue` narrowing to `ResourceRef` (#59708)
96e602ebe9	fix	cancel in-progress request when same value is assigned (#59280)
6789c7ef94	fix	Defer afterRender until after first CD (#59455) (#59551)
c87e581dd9	fix	Don't run effects in check no changes pass (#59455) (#59551)
127fc0dc84	fix	fix `resource()`'s `previous.state` (#59708)
b592b1b051	fix	fix race condition in resource() (#59851)
a299e02e91	fix	preserve tracing snapshot until tick finishes (#59796)

fix(deps): update dependency @angular/compiler to v19.2.17 [security]

GitHub Vulnerability Alerts

Impact

Patches

Attack Preconditions

Workarounds

Release Notes

compiler

http

Breaking Changes

core

core

compiler

migrations

common

service-worker

common

compiler

compiler-cli

core

platform-server

common

core

platform-server

core

forms

common

core

http

compiler

compiler-cli

core

language-service

animations

compiler

compiler-cli

core

language-service

migrations

router

service-worker

core

localize

platform-browser

compiler-cli

core

platform-browser-dynamic

upgrade

common

compiler

compiler-cli

core

platform-server

router

Breaking Changes

core

core

common

compiler

core

forms

migrations

Configuration