Race Condition Affecting @angular/platform-server package, versions >=16.0.0-next.0 <18.2.14>=19.0.0-next.0 <19.2.15>=20.0.0-next.0 <20.3.0>=21.0.0-next.0 <21.0.0-next.3
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ANGULARPLATFORMSERVER-12613569
- published11 Sept 2025
- disclosed10 Sept 2025
- creditUnknown
Introduced: 10 Sep 2025
NewCVE-2025-59052 (opens in a new tab)How to fix?
Upgrade @angular/platform-server to version 18.2.14, 19.2.15, 20.3.0, 21.0.0-next.3 or higher.
Overview
@angular/platform-server is an Angular - library for using Angular in Node.js
Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the bootstrapApplication, getPlatform, or destroyPlatform functions. This allows data (including sensitive data) to be leaked between requests and included in rendered content or response headers for the wrong request.
Note: The CLI is vulnerable even if an application is not explicitly using getPlatform, and exposes this vulnerability if exposed to remote connections.
Workaround
This vulnerability can be avoided by disabling SSR via Server Routes or builder options, removing all asynchronous behavior from custom bootstrap functions, removing uses of getPlatform() in application code, and/or ensuring that the server build defines ngJitMode as false.