Skip to content

build(deps): update dependency @angular/compiler to v20.3.18 [security]#767

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-compiler-vulnerability
Mar 31, 2026
Merged

build(deps): update dependency @angular/compiler to v20.3.18 [security]#767
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-compiler-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 20.3.1620.3.18 age confidence

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

  • action
  • background
  • cite
  • codebase
  • data
  • formaction
  • href
  • itemtype
  • longdesc
  • poster
  • src
  • xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

  • Session Hijacking: Stealing session cookies and authentication tokens.
  • Data Exfiltration: Capturing and transmitting sensitive user data.
  • Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

  1. The application must use a vulnerable version of Angular.
  2. The application must bind unsanitized user input to one of the attributes mentioned above.
  3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

  • 22.0.0-next.3
  • 21.2.4
  • 20.3.18
  • 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@&#8203;angular/core';
import {DomSanitizer} from '@&#8203;angular/platform-browser';

@&#8203;Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

References

Release Notes

angular/angular (@​angular/compiler)

v20.3.18

Compare Source

compiler
Commit Type Description
02fbf08890 fix disallow translations of iframe src
core
Commit Type Description
72126f9a08 fix sanitize translated attribute bindings with interpolations
626bc8bc20 fix sanitize translated form attributes

v20.3.17

Compare Source

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204)

core
Commit Type Description
7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - Between 09:00 AM and 09:59 PM, Monday through Friday ( * 9-21 * * 1-5 ) in timezone Europe/Madrid.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from davidlj95 as a code owner March 14, 2026 05:03
@renovate renovate Bot enabled auto-merge (squash) March 14, 2026 05:03
@renovate renovate Bot changed the title build(deps): update dependency @angular/compiler to v20.3.18 [security] build(deps): update dependency @angular/compiler to v20.3.18 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 02:01

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-angular-compiler-vulnerability branch March 27, 2026 02:01
@renovate renovate Bot changed the title build(deps): update dependency @angular/compiler to v20.3.18 [security] - autoclosed build(deps): update dependency @angular/compiler to v20.3.18 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from c1bb022 to f2d40d5 Compare March 30, 2026 22:03
@renovate renovate Bot merged commit 5bd852c into main Mar 31, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidlj95 davidlj95 Awaiting requested review from davidlj95 davidlj95 is a code owner

Assignees

No one assigned

Labels

dependencies javascript

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants