chore(deps): update dependency @angular/compiler to v21.2.17 [security]#231
chore(deps): update dependency @angular/compiler to v21.2.17 [security]#231renovate[bot] wants to merge 1 commit into
Conversation
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
|
View your CI Pipeline Execution ↗ for commit 9add5fc
☁️ Nx Cloud last updated this comment at |
|
View your CI Pipeline Execution ↗ for commit cf11e58
☁️ Nx Cloud last updated this comment at |
renovate
Bot
force-pushed
the
renovate/npm-angular-compiler-vulnerability
branch
from
cf11e58 to
f602a9a
Compare
renovate
Bot
force-pushed
the
renovate/npm-angular-compiler-vulnerability
branch
from
f602a9a to
9add5fc
Compare
This PR contains the following updates:
21.2.15→21.2.17@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
CVE-2026-54265 / GHSA-58w9-8g37-x9v5
More information
Details
An issue in the
@angular/compilerpackage allows bypassing DOM property sanitization through the use of two-way property bindings.Specifically, when a native DOM property that requires sanitization (such as
innerHTML,srcdoc,src,href,data, orsandbox) is bound using the two-way binding syntax (e.g.,[(innerHTML)]="value"orbindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to theTwoWayPropertyoperation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).
Impact
Any Angular application that uses two-way data binding (
[()]orbindon-) on security-sensitive native DOM properties (likeinnerHTML,hrefon<a>,srcon<img>/<iframe>, etc.) is vulnerable to this security bypass.Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.
Attack Preconditions
To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:
<div [(innerHTML)]="userContent"></div>).DomSanitizer) before passing the value to the bound property.Patches
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
angular/angular (@angular/compiler)
v21.2.17Compare Source
Deprecations
platform-server
@angular/platform-serveris deprecated. Use standardfetchAPIs instead.common
compiler
core
http
platform-server
service-worker
v21.2.16Compare Source
common
compiler
core
platform-server
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.