@angular/common 10.0.0-next.0.with-local-changes

Direct Vulnerabilities

Known vulnerabilities in the @angular/common package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Use of Weak Hash Affected versions of this package are vulnerable to Use of Weak Hash due to the use of a weak 32-bit hash in the `HttpTransferCache`. When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. How to fix Use of Weak Hash? Upgrade `@angular/common` to version 20.3.25, 21.2.17, 22.0.1 or higher.	<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1
L Use of Cache Containing Sensitive Information Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via the `HttpTransferCache` utility. An attacker can access sensitive user-specific information by making requests to pages that have been cached by a shared caching layer after another user has authenticated and triggered credentialed requests during server-side rendering. Note: This is only exploitable if server-side rendering and hydration are enabled, credentialed HTTP requests are performed during SSR, and the SSR-rendered HTML is cached by a shared caching layer without proper cache-control headers to distinguish authenticated users. How to fix Use of Cache Containing Sensitive Information? Upgrade `@angular/common` to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.	<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2
H Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `formatDate` function when processing an excessively long or attacker-controlled date format string. An attacker can cause high CPU and memory consumption, leading to application unavailability or browser unresponsiveness by supplying a maliciously crafted format string. Note: This is only exploitable if the application formats dates using the vulnerable utility or pipe and the format string is customizable or controlled by untrusted user input. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `@angular/common` to version 20.3.25, 21.2.17, 22.0.1 or higher.	<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1
H Allocation of Resources Without Limits or Throttling Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `formatNumber` function when the `digitsInfo` parameter is controlled by untrusted user input. An attacker can exhaust system resources and cause application unavailability by supplying a specially crafted `digitsInfo` string with excessively large fraction digit values. Note: This is only exploitable if the application uses number formatting utilities and allows untrusted input to control the `digitsInfo` parameter. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@angular/common` to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.	<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2
H Insertion of Sensitive Information Into Sent Data Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the `HttpClient` which has a built-in XSRF protection mechanism. An attacker can obtain sensitive authentication tokens by crafting requests using protocol-relative URLs that cause the token to be sent to domains under the attacker's control. Note: This is only exploitable if XSRF protection is enabled and the application allows requests to protocol-relative URLs. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `@angular/common` to version 19.2.16, 20.3.14, 21.0.1 or higher.	<19.2.16>=20.0.0-next.0 <20.3.14>=21.0.0-next.0 <21.0.1

Vulnerability

Vulnerable Version

Use of Weak Hash

Affected versions of this package are vulnerable to Use of Weak Hash due to the use of a weak 32-bit hash in the HttpTransferCache. When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache.

How to fix Use of Weak Hash?

Upgrade @angular/common to version 20.3.25, 21.2.17, 22.0.1 or higher.

<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1

Use of Cache Containing Sensitive Information

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information via the HttpTransferCache utility. An attacker can access sensitive user-specific information by making requests to pages that have been cached by a shared caching layer after another user has authenticated and triggered credentialed requests during server-side rendering.

Note: This is only exploitable if server-side rendering and hydration are enabled, credentialed HTTP requests are performed during SSR, and the SSR-rendered HTML is cached by a shared caching layer without proper cache-control headers to distinguish authenticated users.

How to fix Use of Cache Containing Sensitive Information?

Upgrade @angular/common to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.

<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2

Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the formatDate function when processing an excessively long or attacker-controlled date format string. An attacker can cause high CPU and memory consumption, leading to application unavailability or browser unresponsiveness by supplying a maliciously crafted format string.

Note: This is only exploitable if the application formats dates using the vulnerable utility or pipe and the format string is customizable or controlled by untrusted user input.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade @angular/common to version 20.3.25, 21.2.17, 22.0.1 or higher.

<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1

Allocation of Resources Without Limits or Throttling

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the formatNumber function when the digitsInfo parameter is controlled by untrusted user input. An attacker can exhaust system resources and cause application unavailability by supplying a specially crafted digitsInfo string with excessively large fraction digit values.

Note: This is only exploitable if the application uses number formatting utilities and allows untrusted input to control the digitsInfo parameter.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @angular/common to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.

<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2

Insertion of Sensitive Information Into Sent Data

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the HttpClient which has a built-in XSRF protection mechanism. An attacker can obtain sensitive authentication tokens by crafting requests using protocol-relative URLs that cause the token to be sent to domains under the attacker's control.

Note: This is only exploitable if XSRF protection is enabled and the application allows requests to protocol-relative URLs.

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade @angular/common to version 19.2.16, 20.3.14, 21.0.1 or higher.

<19.2.16>=20.0.0-next.0 <20.3.14>=21.0.0-next.0 <21.0.1

@angular/common@10.0.0-next.0.with-local-changes

Angular - commonly needed directives and services

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically