chore(deps): update dependency @angular/core to v21.2.17 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/core (source)	21.2.15 → 21.2.17

---

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg

More information

Details

To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier:

<script type="application/json" id="ng-state">
    {"some-api-url": {"body": ...}}
</script>

During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content.

Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering.

If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.

During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.

Impact

By clobbering the state element, the attacker can inject a custom JSON payload into Angular's TransferState cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache.

1. The attacker injects a clobbered ng-state element containing custom JSON.
2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice.
3. During client-side initialization, Angular's HttpClient checks TransferState before making requests. Finding the poisoned key, HttpClient returns the forged response instantly instead of requesting the genuine backend API.

Depending on how the application processes and renders the affected API response, this can lead to:

• DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings.
• Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads.
• UI Hijacking and redirection by spoofing configuration endpoints.

Patched Versions

• 22.0.1
• 21.2.17
• 20.3.25

Workarounds

If you cannot immediately update to a patched Angular version, apply the following workarounds:

A. Avoid Dynamic/User-Controlled IDs

Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:

<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>

<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>

B. Configure a Custom Application ID

Declaring a unique, non-predictable APP_ID changes the ID suffix of the state element, making it harder for attackers to predict and target:

// app.config.ts

import { APP_ID } from '@​angular/core';
import { provideClientHydration } from '@​angular/platform-browser';

export const appConfig = {
  providers: [
    { provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
    provideClientHydration()
  ]
};

This changes the state element lookup ID from ng-state to unique-obfuscated-app-id-state.

Severity

• CVSS Score: 8.6 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg
• https://github.com/angular/angular/pull/69064
• https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa
• https://github.com/advisories/GHSA-rgjc-h3x7-9mwg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/core)

v21.2.17

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#​69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#​69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

v21.2.16

Compare Source

common

Commit	Type	Description
f6d8e642b0	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
ae1c8a1f7a	fix	move projection attributes into constants

core

Commit	Type	Description
3fd6897a67	fix	harden inherit definition feature against polluted prototypes
7e38336dc7	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

Commit	Type	Description
66821c4ed5	fix	throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6	fix	update domino to latest version

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e52583d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​angular/​core@​21.2.15 ⏵ 21.2.17	+1	+16	+1

View full report

[github-actions]

📊 Package size report   No changes

File	Before	After
Total (Includes all files)	3.5 MB	3.5 MB
Tarball size	1.1 MB	1.1 MB

Unchanged files

File	Size
.browserslistrc	41 B
.changeset/config.json	311 B
.changeset/README.md	510 B
.codesandbox/ci.json	63 B
.commitlintrc	35 B
.editorconfig	145 B
.gitattributes	115 B
.github/workflows/autofix.yml	913 B
.github/workflows/ci.yml	1.7 kB
.github/workflows/pkg-pr-new.yml	646 B
.github/workflows/pkg-size.yml	702 B
.github/workflows/release.yml	1.3 kB
.markuplintrc	96 B
.nano-staged.js	48 B
.nvmrc	6 B
.postcssrc.cjs	49 B
.prettierignore	41 B
.prettierrc	24 B
.remarkrc	42 B
.renovaterc	49 B
.simple-git-hooks.js	49 B
.stylelintignore	209 B
.stylelintrc	90 B
.yarn/plugins/plugin-prepare-lifecycle.cjs	202 B
.yarn/releases/yarn-4.15.0.cjs	3.0 MB
.yarnrc.yml	398 B
CHANGELOG.md	1.1 kB
default.json	499 B
eslint.config.js	516 B
global.d.ts	53 B
LICENSE	1.1 kB
package.json	2.7 kB
packages/app-config/CHANGELOG.md	55.0 kB
packages/app-config/package.json	769 B
packages/app-config/README.md	2.7 kB
packages/babel-preset/CHANGELOG.md	24.7 kB
packages/babel-preset/config.js	43 B
packages/babel-preset/index.js	5.6 kB
packages/babel-preset/package.json	1.6 kB
packages/babel-preset/README.md	2.7 kB
packages/browserslist-config/_not.js	140 B
packages/browserslist-config/alauda-legacy.js	51 B
packages/browserslist-config/alauda.js	129 B
packages/browserslist-config/CHANGELOG.md	7.5 kB
packages/browserslist-config/index.js	116 B
packages/browserslist-config/latest.js	186 B
packages/browserslist-config/modern.js	167 B
packages/browserslist-config/package.json	570 B
packages/browserslist-config/README.md	2.7 kB
packages/commitlint-config/CHANGELOG.md	14.5 kB
packages/commitlint-config/index.js	537 B
packages/commitlint-config/package.json	638 B
packages/commitlint-config/README.md	2.7 kB
packages/common-config/CHANGELOG.md	51.6 kB
packages/common-config/package.json	954 B
packages/common-config/README.md	2.7 kB
packages/config/CHANGELOG.md	4.0 kB
packages/config/index.d.ts	308 B
packages/config/index.js	1.1 kB
packages/config/package.json	599 B
packages/config/README.md	2.7 kB
packages/eslint-config/_util.js	2.2 kB
packages/eslint-config/angular.js	1.2 kB
packages/eslint-config/base.d.ts	109 B
packages/eslint-config/base.js	5.8 kB
packages/eslint-config/CHANGELOG.md	60.8 kB
packages/eslint-config/index.d.ts	58 B
packages/eslint-config/index.js	58 B
packages/eslint-config/jest.js	391 B
packages/eslint-config/js-base.js	1.4 kB
packages/eslint-config/js.js	582 B
packages/eslint-config/loose.d.ts	110 B
packages/eslint-config/loose.js	1.4 kB
packages/eslint-config/overrides.d.ts	1.2 kB
packages/eslint-config/overrides.js	6.3 kB
packages/eslint-config/package.json	3.1 kB
packages/eslint-config/react.js	1.7 kB
packages/eslint-config/README.md	2.7 kB
packages/eslint-config/recommended.d.ts	116 B
packages/eslint-config/recommended.js	142 B
packages/eslint-config/test.js	309 B
packages/eslint-config/ts-base.js	4.0 kB
packages/eslint-config/vitest.js	396 B
packages/eslint-config/vue.js	1.5 kB
packages/markuplint-config/angular.js	122 B
packages/markuplint-config/base.d.ts	87 B
packages/markuplint-config/base.js	413 B
packages/markuplint-config/CHANGELOG.md	6.5 kB
packages/markuplint-config/index.d.ts	36 B
packages/markuplint-config/index.js	36 B
packages/markuplint-config/package.json	934 B
packages/markuplint-config/README.md	2.7 kB
packages/markuplint-config/vue.d.ts	85 B
packages/markuplint-config/vue.js	240 B
packages/nano-staged/_utils.js	429 B
packages/nano-staged/base.js	1.4 kB
packages/nano-staged/CHANGELOG.md	3.7 kB
packages/nano-staged/index.js	36 B
packages/nano-staged/ngc.js	216 B
packages/nano-staged/package.json	982 B
packages/nano-staged/README.md	2.7 kB
packages/nano-staged/tsc.js	255 B
packages/nano-staged/vue-tsc.js	249 B
packages/postcss-config/CHANGELOG.md	17.9 kB
packages/postcss-config/index.d.ts	88 B
packages/postcss-config/index.js	1.3 kB
packages/postcss-config/package.json	1.2 kB
packages/postcss-config/README.md	2.7 kB
packages/prettier-config/angular.d.ts	36 B
packages/prettier-config/angular.js	210 B
packages/prettier-config/base.d.ts	92 B
packages/prettier-config/base.js	2.0 kB
packages/prettier-config/CHANGELOG.md	29.5 kB
packages/prettier-config/index.d.ts	36 B
packages/prettier-config/index.js	36 B
packages/prettier-config/next.d.ts	36 B
packages/prettier-config/next.js	220 B
packages/prettier-config/package.json	1.5 kB
packages/prettier-config/quote.d.ts	36 B
packages/prettier-config/quote.js	94 B
packages/prettier-config/README.md	2.7 kB
packages/prettier-config/semi/angular.d.ts	37 B
packages/prettier-config/semi/angular.js	90 B
packages/prettier-config/semi/index.d.ts	37 B
packages/prettier-config/semi/index.js	87 B
packages/prettier-config/semi/next.d.ts	37 B
packages/prettier-config/semi/next.js	87 B
packages/prettier-config/semi/quote.d.ts	37 B
packages/prettier-config/semi/quote.js	88 B
packages/prettier-config/semi/vue.d.ts	37 B
packages/prettier-config/semi/vue.js	86 B
packages/prettier-config/vue.d.ts	36 B
packages/prettier-config/vue.js	206 B
packages/remark-preset/CHANGELOG.md	9.0 kB
packages/remark-preset/index.js	1.3 kB
packages/remark-preset/package.json	1.1 kB
packages/remark-preset/README.md	2.7 kB
packages/simple-git-hooks/CHANGELOG.md	4.6 kB
packages/simple-git-hooks/index.js	193 B
packages/simple-git-hooks/package.json	711 B
packages/simple-git-hooks/README.md	2.7 kB
packages/stylelint-config/_overrides.js	939 B
packages/stylelint-config/base.d.ts	76 B
packages/stylelint-config/base.js	1.5 kB
packages/stylelint-config/CHANGELOG.md	23.7 kB
packages/stylelint-config/index.d.ts	80 B
packages/stylelint-config/index.js	72 B
packages/stylelint-config/loose.d.ts	78 B
packages/stylelint-config/loose.js	76 B
packages/stylelint-config/modules.d.ts	82 B
packages/stylelint-config/modules.js	263 B
packages/stylelint-config/package.json	1.3 kB
packages/stylelint-config/README.md	2.7 kB
packages/stylelint-config/scss/base.d.ts	76 B
packages/stylelint-config/scss/base.js	1.4 kB
packages/stylelint-config/scss/index.d.ts	36 B
packages/stylelint-config/scss/index.js	36 B
packages/stylelint-config/scss/loose.d.ts	78 B
packages/stylelint-config/scss/loose.js	369 B
packages/tsconfig/angular.json	306 B
packages/tsconfig/app.json	282 B
packages/tsconfig/CHANGELOG.md	11.7 kB
packages/tsconfig/dom-lib.json	158 B
packages/tsconfig/erasable.json	147 B
packages/tsconfig/lib.json	189 B
packages/tsconfig/loose.json	180 B
packages/tsconfig/ng-lib.json	387 B
packages/tsconfig/node.json	236 B
packages/tsconfig/node16.json	192 B
packages/tsconfig/nodenext.json	196 B
packages/tsconfig/package.json	602 B
packages/tsconfig/README.md	2.7 kB
packages/tsconfig/tsconfig.json	685 B
patches/vue-eslint-parser+10.4.0.patch	977 B
README.md	4.0 kB
SECURITY.md	212 B
tests/_test.ts	1.1 kB
tests/global.d.ts	41 B
tests/test.cjs	742 B
tests/test.component.html	142 B
tests/test.component.ts	198 B
tests/test.css	53 B
tests/test.d.ts	409 B
tests/test.html	191 B
tests/test.js	753 B
tests/test.json	23 B
tests/test.json5	22 B
tests/test.jsonc	37 B
tests/test.less	315 B
tests/test.md	61 B
tests/test.mdx	143 B
tests/test.pug	17 B
tests/test.scss	381 B
tests/test.sh	20 B
tests/test.spec.js	129 B
tests/test.spec.ts	671 B
tests/test.svg	1.2 kB
tests/test.toml	16 B
tests/test.vue	439 B
tests/test.yaml	13 B
tests/test.yml	13 B
tests/test1.jsx	347 B
tests/test2.ts	1.8 kB
tests/test3.tsx	395 B
tsconfig.json	41 B
vitest.config.ts	227 B

_{🤖 This report was automatically generated by pkg-size-action}

[pkg-pr-new]

Open in StackBlitz

@1stg/app-config

npm i https://pkg.pr.new/@1stg/app-config@398

@1stg/babel-preset

npm i https://pkg.pr.new/@1stg/babel-preset@398

@1stg/browserslist-config

npm i https://pkg.pr.new/@1stg/browserslist-config@398

@1stg/commitlint-config

npm i https://pkg.pr.new/@1stg/commitlint-config@398

@1stg/common-config

npm i https://pkg.pr.new/@1stg/common-config@398

@1stg/config

npm i https://pkg.pr.new/@1stg/config@398

@1stg/eslint-config

npm i https://pkg.pr.new/@1stg/eslint-config@398

@1stg/markuplint-config

npm i https://pkg.pr.new/@1stg/markuplint-config@398

@1stg/nano-staged

npm i https://pkg.pr.new/@1stg/nano-staged@398

@1stg/postcss-config

npm i https://pkg.pr.new/@1stg/postcss-config@398

@1stg/prettier-config

npm i https://pkg.pr.new/@1stg/prettier-config@398

@1stg/remark-preset

npm i https://pkg.pr.new/@1stg/remark-preset@398

@1stg/simple-git-hooks

npm i https://pkg.pr.new/@1stg/simple-git-hooks@398

@1stg/stylelint-config

npm i https://pkg.pr.new/@1stg/stylelint-config@398

@1stg/tsconfig

npm i https://pkg.pr.new/@1stg/tsconfig@398

commit: e52583d