Headline

GHSA-r3hf-q8q7-fv2p: Angular critical CSS inlining Cross-site Scripting Vulnerability Advisory

Impact

Angular Universal applications on 16.1.0 and 16.1.1 using critical CSS inlining are vulnerable to a cross-site scripting (XSS) attack where an attacker can trick another user into visiting a page which injects malicious JavaScript.

Angular CLI applications without Universal do perform critical CSS inlining as well, however exploiting this requires a malicious actor to already have access to modify source code directly.

Patches

@nguniversal/common should be upgraded to 16.1.2 or higher. 16.2.0-rc.0 is safe.

Workarounds

The easiest solution is likely to upgrade Universal to 16.1.2 or downgrade to 16.0.x or lower. Alternatively you can override specifically the critters dependency with version 0.0.20 in your package.json.

{
  "overrides": {
    "critters": "0.0.20"
  }
}

References

Angular Blog Post

1 year ago

ghsa

Open in Source

#xss #vulnerability #nodejs #js #git #java

GitHub Advisory Database
GitHub Reviewed
GHSA-r3hf-q8q7-fv2p

Angular critical CSS inlining Cross-site Scripting Vulnerability Advisory

High severity GitHub Reviewed Published Aug 8, 2023 in angular/universal

Package

npm @nguniversal/common (npm)

Affected versions

>= 16.1.0, < 16.1.2

Impact

Angular CLI applications without Universal do perform critical CSS inlining as well, however exploiting this requires a malicious actor to already have access to modify source code directly.

Patches

@nguniversal/common should be upgraded to 16.1.2 or higher. 16.2.0-rc.0 is safe.

Workarounds

The easiest solution is likely to upgrade Universal to 16.1.2 or downgrade to 16.0.x or lower. Alternatively you can override specifically the critters dependency with version 0.0.20 in your package.json.

{ "overrides": { "critters": “0.0.20” } }

References