chore(deps): update dependency @angular/ssr to v20.3.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	20.1.2 → 20.3.6

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

• bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
• getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
• destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @​angular/cli @​angular/core

# For apps on Angular v19:
ng update @​angular/cli@19 @​angular/core@19

# For apps on Angular v18:
ng update @​angular/cli@18 @​angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @​angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @​angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @​angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

• @angular/platform-server: 21.0.0-next.3

• @angular/platform-server: 20.3.0

• @angular/platform-server: 19.2.15

• @angular/platform-server: 18.2.14

• @angular/ssr: 21.0.0-next.3

• @angular/ssr: 20.3.0

• @angular/ssr: 19.2.16

• @angular/ssr: 18.2.21

Workarounds

• Disable SSR via Server Routes (v19+) or builder options.
• Remove any asynchronous behavior from custom bootstrap functions.
• Remove uses of getPlatform() in application code.
• Ensure that the server build defines ngJitMode as false.

References

• https://github.com/angular/angular/pull/63562
• https://github.com/angular/angular-cli/pull/31108

CVE-2025-62427

Impact

The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario

A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

• @angular/ssr 19.2.18
• @angular/ssr 20.3.6
• @angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware

If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
  if (req.originalUrl?.startsWith('//')) {
    // Sanitize by forcing a single slash
    req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
    req.url = req.url.replace(/^\/\/+/, '/');
  }
  next();
});

References

• Report: https://github.com/angular/angular-cli/issues/31464
• Fix: https://github.com/angular/angular-cli/pull/31474

---

Release Notes

angular/angular-cli (@​angular/ssr)

v20.3.6

Compare Source

@​angular/ssr

Commit	Type	Description
5271547c8	fix	prevent malicious URL from overriding host

v20.3.5

Compare Source

@​angular/build

Commit	Type	Description
7f7140680	fix	cleanup karma temporary directory after process exit

v20.3.4

Compare Source

@​schematics/angular

Commit	Type	Description
c94bf7ff0	fix	Out of the box support for PM2
465436c9f	fix	use bracket notation for process.env['pm_id']

@​angular-devkit/build-angular

Commit	Type	Description
bc6b63114	fix	mark InjectionToken as pure for improved tree-shaking

@​angular/build

Commit	Type	Description
e510ff828	fix	mark InjectionToken as pure for improved tree-shaking

v20.3.3

Compare Source

@​schematics/angular

Commit	Type	Description
b7f92da78	fix	add __screenshots__/ to .gitignore

@​angular/ssr

Commit	Type	Description
a4c9a2007	fix	avoid retaining rendered HTML in memory post-request

v20.3.2

Compare Source

v20.3.1

Compare Source

@​angular/build

Commit	Type	Description
be60be499	fix	add timestamp to bundle generation log
d60f4e53d	fix	update vite to version 7.1.5

v20.3.0

Compare Source

Breaking Changes

@​angular/ssr

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

@​schematics/angular

Commit	Type	Description
ef20a278d	fix	align labels in ai-config schema

@​angular/cli

Commit	Type	Description
f6ad41c13	fix	improve bun lockfile detection and optimize lockfile checks

@​angular-devkit/build-angular

Commit	Type	Description
1a7890873	fix	avoid extra tick in SSR builds

@​angular/build

Commit	Type	Description
5d46d6ec1	fix	preserve names in esbuild for improved debugging in dev mode

@​angular/ssr

Commit	Type	Description
7eacb4187	feat	introduce BootstrapContext for isolated server-side rendering

v20.2.2

Compare Source

@​angular/cli

Commit	Type	Description
a793bbc47	fix	don't set a default for array options when length is 0
2736599e2	fix	set process title when running architect commands

@​angular/build

Commit	Type	Description
5c2abffea	fix	avoid extra tick in SSR dev-server builds
f3c826853	fix	maintain media output hashing with vitest unit-testing

v20.2.1

Compare Source

@​angular/cli

Commit	Type	Description
3b693e09e	fix	correctly set default array values

@​schematics/angular

Commit	Type	Description
6937123a3	fix	directly resolve karma config template in migration
5d6dd4425	fix	prevent AI config schematic from failing when 'none' and other AI tools are selected

@​angular-devkit/schematics-cli

Commit	Type	Description
e93919dea	fix	correctly set default array values

@​angular/build

Commit	Type	Description
06a6ddc10	fix	correct JS/TS file paths when running under Bazel
b6816b0cb	fix	ensure karma polyfills reporter factory returns a value

v20.2.0

Compare Source

@​angular/cli

Commit	Type	Description
b4de9a1bf	feat	add --experimental-tool option to mcp command
755ba70fd	feat	add --local-only option to mcp command
59d7ef343	feat	add --read-only option to mcp command
4e92eb6f1	feat	add modernize tool to the MCP server
a3b25f675	fix	add choices to command line parser when type is array and has an enum
e19eee614	fix	address Node.js deprecation DEP0190
4ee6f327a	fix	apply default to array types
8ba6b0bcc	fix	use correct path for MCP get_best_practices tool

@​schematics/angular

Commit	Type	Description
2e3cfd598	feat	add migration to remove default Karma configurations
d80dae276	feat	add schematics to generate ai context files.
ffe6fb916	fix	allow AI config prompt to be skipped without selecting a value
ae2802b7d	fix	improve AI config prompt wording
b017f84fd	fix	improve coverage directory handling for Karma configuration comparisons
6a79f9a75	fix	zoneless is now stable

@​angular-devkit/schematics

Commit	Type	Description
c43504d8d	fix	address Node.js deprecation DEP0190

@​angular/build

Commit	Type	Description
fb06bb505	feat	add headless mode for vitest browser mode

v20.1.6

Compare Source

@​schematics/angular

Commit	Type	Description
584bc1d41	fix	add extra prettier config
02b0506fd	fix	correct configure the typeSeparator in the library schematic

v20.1.5

Compare Source

@​angular/cli

Commit	Type	Description
48ca04474	fix	cache MCP best practices content and add tool annotations

v20.1.4

Compare Source

@​angular/cli

Commit	Type	Description
2d753cc62	fix	skip workspace-specific tools when outside a workspace

@​angular/build

Commit	Type	Description
42d72ef4d	fix	skip vite transformation of CSS-like assets

v20.1.3

Compare Source

@​angular/build

Commit	Type	Description
ea5cd0e81	fix	update vite to 7.0.6

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.