Angular SSR Vulnerability Allows Attackers to Access Sensitive Data

A high vulnerability in Angular’s server-side rendering (SSR) feature can lead to sensitive data exposure when multiple requests are handled at the same time.

This flaw, tracked as CVE-2025-59052, stems from a global race condition in the platform injector that may cause cross-request data leakage.

Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.

Vulnerability Details

Angular’s SSR uses a dependency injection container called the platform injector to store request-specific data during rendering.

Historically, this container was defined as a module-scoped global variable. When two or more rendering requests occur concurrently, they can share or overwrite this global injector state.

As a result, information intended for one user’s session such as authentication tokens, user-specific settings, or database query results could appear in another user ...