@angular/core 14.0.0-next.0

Direct Vulnerabilities

Known vulnerabilities in the @angular/core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper handling of namespaced elements and attributes during template compilation and sanitization. An attacker can execute arbitrary JavaScript in the user's browser by injecting specially crafted templates or tag structures with custom namespaces that bypass script-stripping logic and attribute sanitizers. Note: This is only exploitable if the application accepts user-controlled template input, supports namespace parsing in templates, and does not perform additional input sanitization before processing with the template compiler. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/core` to version 19.2.18, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.	<19.2.18>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2
H Modification of Assumed-Immutable Data @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data via `document.getElementById('ng-state')`, during client-side SSR hydration, which enables DOM clobbering. An attacker can inject malicious JSON payloads into the application's `TransferState` cache by introducing a DOM element with a predictable identifier before the legitimate state script is parsed, causing forged API responses to be served to users and leading to the execution of arbitrary scripts, privilege escalation, or UI manipulation. How to fix Modification of Assumed-Immutable Data? Upgrade `@angular/core` to version 20.3.25, 21.2.17, 22.0.1 or higher.	<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1
M Cross-site Scripting (XSS) @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the createComponent mechanism. An attacker can execute arbitrary JavaScript code in the context of the user's browser by mounting a dynamic component onto a `<script>` or namespaced script element when user-controlled input is passed as the selector or host element and no additional input sanitization is performed. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/core` to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.	<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2
L Cross-site Scripting (XSS) @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of `internationalized attribute` bindings. An attacker can execute arbitrary scripts in the context of the application by injecting malicious input into attributes such as `href`, `src`, or similar, when these are marked for internationalization and bound to unsanitized user data. Note: This is only exploitable if unsanitized user input is bound to a security-sensitive attribute that is also marked with an `i18n-<attribute>` directive on the same element. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/core` to version 19.2.20, 20.3.18, 21.2.3, 22.0.0-next.2 or higher.	<19.2.20>=20.0.0-next.0 <20.3.18>=21.0.0-next.0 <21.2.3>=22.0.0-next.0 <22.0.0-next.2
H Cross-site Scripting (XSS) @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the i18n pipeline when HTML from translated content in ICU messages is not properly sanitized. An attacker can execute arbitrary JavaScript in the application origin by compromising the translation file (such as xliff or xtb) and injecting malicious content. Note: This is only exploitable if the application uses Angular i18n, includes one or more ICU messages, renders an ICU message, and does not defend against script injection via a strict content security policy. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/core` to version 19.2.19, 20.3.17, 21.1.6, 21.2.0 or higher.	<19.2.19>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.6>=21.2.0-next.0 <21.2.0
L Cross-site Scripting (XSS) @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of SVG `<script>` element attributes `href` and `xlink:href` when user-controlled data is bound to these attributes. An attacker can execute arbitrary JavaScript code in the victim's browser by supplying a crafted payload through untrusted data sources that are bound to these attributes. ##Workaround This vulnerability can be mitigated by avoiding dynamic template bindings for SVG `<script>` elements and strictly validating input against a trusted allowlist before it reaches the template. How to fix Cross-site Scripting (XSS)? Upgrade `@angular/core` to version 19.2.18, 20.3.16, 21.0.7, 21.1.0-rc.0 or higher.	<19.2.18>=20.0.0-next.0 <20.3.16>=21.0.0-next.0 <21.0.7>=21.1.0-next.0 <21.1.0-rc.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

@angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via improper handling of namespaced elements and attributes during template compilation and sanitization. An attacker can execute arbitrary JavaScript in the user's browser by injecting specially crafted templates or tag structures with custom namespaces that bypass script-stripping logic and attribute sanitizers.

Note: This is only exploitable if the application accepts user-controlled template input, supports namespace parsing in templates, and does not perform additional input sanitization before processing with the template compiler.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/core to version 19.2.18, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.

<19.2.18>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2

Modification of Assumed-Immutable Data

Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data via document.getElementById('ng-state'), during client-side SSR hydration, which enables DOM clobbering. An attacker can inject malicious JSON payloads into the application's TransferState cache by introducing a DOM element with a predictable identifier before the legitimate state script is parsed, causing forged API responses to be served to users and leading to the execution of arbitrary scripts, privilege escalation, or UI manipulation.

How to fix Modification of Assumed-Immutable Data?

Upgrade @angular/core to version 20.3.25, 21.2.17, 22.0.1 or higher.

<20.3.25>=21.0.0-next.0 <21.2.17>=22.0.0-next.0 <22.0.1

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the createComponent mechanism. An attacker can execute arbitrary JavaScript code in the context of the user's browser by mounting a dynamic component onto a <script> or namespaced script element when user-controlled input is passed as the selector or host element and no additional input sanitization is performed.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/core to version 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 or higher.

<19.2.23>=20.0.0-next.0 <20.3.22>=21.0.0-next.0 <21.2.15>=22.0.0-next.0 <22.0.0-rc.2

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of internationalized attribute bindings. An attacker can execute arbitrary scripts in the context of the application by injecting malicious input into attributes such as href, src, or similar, when these are marked for internationalization and bound to unsanitized user data.

Note: This is only exploitable if unsanitized user input is bound to a security-sensitive attribute that is also marked with an i18n-<attribute> directive on the same element.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/core to version 19.2.20, 20.3.18, 21.2.3, 22.0.0-next.2 or higher.

<19.2.20>=20.0.0-next.0 <20.3.18>=21.0.0-next.0 <21.2.3>=22.0.0-next.0 <22.0.0-next.2

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the i18n pipeline when HTML from translated content in ICU messages is not properly sanitized. An attacker can execute arbitrary JavaScript in the application origin by compromising the translation file (such as xliff or xtb) and injecting malicious content.

Note:

This is only exploitable if the application uses Angular i18n, includes one or more ICU messages, renders an ICU message, and does not defend against script injection via a strict content security policy.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/core to version 19.2.19, 20.3.17, 21.1.6, 21.2.0 or higher.

<19.2.19>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.6>=21.2.0-next.0 <21.2.0

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of SVG <script> element attributes href and xlink:href when user-controlled data is bound to these attributes. An attacker can execute arbitrary JavaScript code in the victim's browser by supplying a crafted payload through untrusted data sources that are bound to these attributes.

##Workaround

This vulnerability can be mitigated by avoiding dynamic template bindings for SVG <script> elements and strictly validating input against a trusted allowlist before it reaches the template.

How to fix Cross-site Scripting (XSS)?

Upgrade @angular/core to version 19.2.18, 20.3.16, 21.0.7, 21.1.0-rc.0 or higher.

<19.2.18>=20.0.0-next.0 <20.3.16>=21.0.0-next.0 <21.0.7>=21.1.0-next.0 <21.1.0-rc.0

@angular/core@14.0.0-next.0

Angular - the core framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically