chore(deps): update dependency @angular/compiler to v20.3.25 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	20.3.19 → 20.3.25

---

@​angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

CVE-2026-54265 / GHSA-58w9-8g37-x9v5

More information

Details

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.

Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.

This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:

1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., <div [(innerHTML)]="userContent"></div>).
2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via DomSanitizer) before passing the value to the bound property.

Patches

• 22.0.1
• 21.2.17
• 20.3.25

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5
• https://github.com/angular/angular/pull/69107
• https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4
• https://github.com/advisories/GHSA-58w9-8g37-x9v5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Angular: Template and Attribute Namespace Sanitization Bypass (XSS)

CVE-2026-50557 / GHSA-f3m7-gqxr-g87x

More information

Details

An issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds.

Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped.

Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers.

Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that compiles user-controlled templates at runtime, or relies on sanitization of namespaced elements/attributes, is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to inject a namespaced script element or dynamic attribute bindings, bypassing core sanitization constraints to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist:

1. User-Controlled Template Input: The application must accept user-controlled inputs that are directly processed by the Angular template compiler at runtime.
2. Namespace Parsing Support: The input structure must employ custom namespace prefixes (such as <svg:script>) to evade standard tag-name blocklists/checks.
3. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the Angular compiler.

Patches

• 22.0.0-rc.2
• 21.2.15
• 20.3.22
• 19.2.23

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-f3m7-gqxr-g87x
• https://github.com/angular/angular/pull/68689
• https://github.com/angular/angular/pull/68868
• https://github.com/advisories/GHSA-f3m7-gqxr-g87x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/compiler)

v20.3.25

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
a68ec702a0	fix	sanitize two-way properties

core

Commit	Type	Description
768a349e6e	fix	harden TransferState restoration against DOM clobbering
ca48b4728d	fix	validate lowercase SVG animation attribute names (#​69270)

http

Commit	Type	Description
06be298267	fix	preserve empty referrer option in HttpRequest
fa940e1f4d	fix	Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
49368c1859	fix	harden platform location origin validation during SSR
d55c94ad81	refactor	deprecate ServerXhr (#​69256)

service-worker

Commit	Type	Description
d65a5f457b	fix	Strips sensitive headers on cross-origin redirects

v20.3.24

Compare Source

platform-server

Commit	Type	Description
6ca433e56b	fix	throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f	fix	update domino to latest version

v20.3.23

Compare Source

compiler

Commit	Type	Description
d40acc6431	fix	prevent namespaced SVG <style> elements from being stripped

v20.3.22

Compare Source

common

Commit	Type	Description
3d135ce59b	fix	add upper bounds for digitsInfo
39a4b4cc8e	fix	sanitize placeholder

compiler

Commit	Type	Description
8f35b182b1	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68926)
64a89e917a	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#​68926)
6404edfe0a	fix	strip namespaced SVG script elements during template compilation (#​68926)

core

Commit	Type	Description
e345a58069	fix	normalize tag names in runtime i18n attribute security context lookup (#​68926)
d86e4e7b2a	fix	reject script element as a dynamic component host (#​68926)
af04936045	fix	sanitize meta selectors
dc631efa96	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68926)
909ef047b3	fix	synchronize core sanitization schema with compiler (#​68926)

http

Commit	Type	Description
de7b2a62e7	fix	exclude withCredentials requests from transfer cache
4233188d8e	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
49a60f6045	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
5fdfd8a998	fix	preserve redirect policy on reconstructed asset requests
83b022f2d0	fix	Preserves explicit 'credentials: omit' in asset requests
e617fa06eb	fix	Preserves HTTP cache mode in asset group requests

v20.3.21

Compare Source

platform-server

Commit	Type	Description
f584840e2e	fix	add allowedHosts option to renderModule and renderApplication

v20.3.20

Compare Source

core

Commit	Type	Description
a9bcffdbc7	fix	disallow event attribute bindings in host bindings unconditionally (#​68468)
97eeb45cfa	fix	validate security-sensitive attributes in i18n bindings (#​68468)

platform-server

Commit	Type	Description
25e4e07238	fix	ensure origin has a trailing slash when parsing url (#​68468)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.