Skip to content

common-15.2.2.tgz: 5 vulnerabilities (highest severity is: 8.6) #514

Description

@mend-bolt-for-github
Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (common version) Remediation Possible**
CVE-2025-66035 High 8.6 common-15.2.2.tgz Direct https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16
CVE-2026-54266 High 8.2 common-15.2.2.tgz Direct https://github.com/angular/angular.git - v20.3.25,https://github.com/angular/angular.git - v21.2.17
CVE-2026-54268 High 7.5 common-15.2.2.tgz Direct https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25
CVE-2026-50171 High 7.5 common-15.2.2.tgz Direct https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v19.2.23,https://github.com/angular/angular.git - v20.3.22
CVE-2026-50170 High 7.5 common-15.2.2.tgz Direct https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v19.2.23,https://github.com/angular/angular.git - v20.3.22

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-66035

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Publish Date: 2025-11-26

URL: CVE-2025-66035

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-11-26

Fix Resolution: https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16

Step up your Open Source Security Game with Mend here

CVE-2026-54266

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

Publish Date: 2026-06-22

URL: CVE-2026-54266

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-39pv-4j6c-2g6v

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v20.3.25,https://github.com/angular/angular.git - v21.2.17

Step up your Open Source Security Game with Mend here

CVE-2026-54268

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @⁠angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

Publish Date: 2026-06-22

URL: CVE-2026-54268

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-48r7-hpm6-gfxm

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25

Step up your Open Source Security Game with Mend here

CVE-2026-50171

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @⁠angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Publish Date: 2026-06-22

URL: CVE-2026-50171

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p3vc-36g9-x9gr

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v19.2.23,https://github.com/angular/angular.git - v20.3.22

Step up your Open Source Security Game with Mend here

CVE-2026-50170

Vulnerable Library - common-15.2.2.tgz

Angular - commonly needed directives and services

Library home page: https://registry.npmjs.org/@⁠angular/common/-/common-15.2.2.tgz

Path to dependency file: /MangoAPI.Client/package.json

Path to vulnerable library: /MangoAPI.Client/node_modules/@⁠angular/common/package.json

Dependency Hierarchy:

  • common-15.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2

Found in base branch: main

Vulnerability Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @⁠angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Publish Date: 2026-06-22

URL: CVE-2026-50170

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q6f4-qqrg-jv6x

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v19.2.23,https://github.com/angular/angular.git - v20.3.22

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions