+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N +
+
+ @angular/build is an Official build system for Angular
Affected versions of this package
+ are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper
+ validation of user-controlled HTTP headers such as Host and X-Forwarded-*.
+ An attacker can redirect internal server requests to arbitrary external or internal destinations,
+ potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to
+ influence URL resolution and request routing.
+
+ Note:
+
+ This is only exploitable if the application uses server-side rendering, performs HTTP requests using
+ relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or
+ validate incoming headers.
+
+ Allows attackers to make server-side requests to internal/external resources, potentially exposing + sensitive data, probing internal networks, or bypassing access controls. +
++ Improper validation of user-controlled HTTP headers (Host, X-Forwarded-*) in the request handling + pipeline, allowing manipulation of URL resolution and request routing. +
+
+ Upgrade @angular/build to version 19.2.21, 20.3.17, 21.1.5 (direct upgrade
+ available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N +
+
+ @schematics/angular is a Schematics specific to Angular
Affected versions of this package
+ are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper
+ validation of user-controlled HTTP headers such as Host and X-Forwarded-*.
+ An attacker can redirect internal server requests to arbitrary external or internal destinations,
+ potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to
+ influence URL resolution and request routing.
+
+ Note:
+
+ This is only exploitable if the application uses server-side rendering, performs HTTP requests using
+ relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or
+ validate incoming headers.
+
+ Allows attackers to make server-side requests to internal/external resources, potentially exposing + sensitive data, probing internal networks, or bypassing access controls. +
++ Improper validation of user-controlled HTTP headers (Host, X-Forwarded-*) in the request handling + pipeline, allowing manipulation of URL resolution and request routing. +
+
+ Upgrade @schematics/angular to version 19.2.21, 20.3.17, 21.1.5 (direct
+ upgrade available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/cli@21.1.1 → @schematics/angular@21.1.1
+ + CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +
+
+ ajv is an Another JSON Schema Validator
Affected versions of this package are vulnerable to
+ Regular Expression Denial of Service (ReDoS) due to improper validation of the
+ pattern keyword when combined with $data references. An attacker can cause
+ the application to become unresponsive and exhaust CPU resources by submitting a specially crafted
+ regular expression payload.
+
+ Note:
+
+ This is only exploitable if the $data option is enabled.
+
+ Allows attackers to exhaust CPU resources by providing crafted input, causing application + unresponsiveness and denial of service. +
++ Improper validation of the pattern keyword when combined with $data references, allowing crafted + regular expression patterns that trigger catastrophic backtracking. +
+Upgrade ajv to version 6.14.0, 8.18.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/cli@21.1.1 → @angular-devkit/core@21.1.1 →
+ ajv@8.17.1
+ + CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N +
+
+ @modelcontextprotocol/sdk is a Model Context Protocol implementation for TypeScript
Affected
+ versions of this package are vulnerable to Race Condition via the reuse of a single
+ McpServer or Server instance and transport across multiple concurrent client
+ connections. An attacker can access response data intended for other clients by exploiting JSON-RPC
+ message ID collisions, which causes responses to be misrouted between clients.
Note:
This is only exploitable if a server instance is shared across concurrent client sessions
+ and clients generate overlapping message IDs.
+
+ Allows attackers to access response data intended for other clients, potentially exposing sensitive + information. +
++ Shared McpServer instance reuse across concurrent client connections with overlapping JSON-RPC message + IDs causes response misrouting. +
+
+ Upgrade @modelcontextprotocol/sdk to version 1.26.0 (direct upgrade
+ available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/cli@21.1.1 → @modelcontextprotocol/sdk@1.25.2
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +
++ Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when + processing crafted extglob patterns. An attacker can cause excessive CPU consumption and block the + event loop by supplying crafted extglob patterns that trigger catastrophic backtracking in regular + expressions. +
++ Allows attackers to exhaust CPU resources by providing crafted input, causing application + unresponsiveness and denial of service. +
++ Improper validation of the pattern keyword when combined with $data references, allowing crafted + regular expression patterns that trigger catastrophic backtracking. +
+
+ Upgrade picomatch to version 2.3.2, 3.0.2, 4.0.4 (direct upgrade available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → picomatch@4.0.3
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted
+ WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to terminate
+ unexpectedly by sending such a frame, resulting in a fatal TypeError and service disruption.
+
+ Allows attackers to crash the application by triggering unhandled exceptions, resulting in denial of + service. +
++ Missing input validation in WebSocket frame processing, allowing specially crafted frames with extreme + values to trigger unhandled exceptions. +
+Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to Allocation of Resources Without Limits or Throttling in the
+ deduplication-handler component when interceptors.deduplicate() is enabled. An attacker
+ can cause excessive memory consumption and potential application termination by sending large or
+ chunked responses along with concurrent identical requests from an untrusted endpoint.
+
+ Allows attackers to exhaust memory resources, potentially crashing the application and causing denial + of service. +
++ Missing resource limits in the deduplication-handler component when processing large or chunked + responses with concurrent identical requests. +
+Upgrade undici to version 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the
+ PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker
+ can cause excessive memory usage by sending specially crafted compressed WebSocket frames that
+ decompress to a very large size, potentially leading to process crashes or unresponsiveness.
+
+ Allows attackers to cause excessive memory usage via compressed data that decompresses to a very large + size, leading to service crashes. +
++ Missing decompression size limits in the permessage-deflate WebSocket extension, allowing compressed + data to expand to an unlimited size in memory. +
+Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to Uncaught Exception through improper validation of the
+ server_max_window_bits parameter in the permessage-deflate extension. An attacker can
+ cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid
+ range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw
+ instance.
+
+ Allows attackers to crash the application by triggering unhandled exceptions, resulting in denial of + service. +
++ Missing input validation in WebSocket frame processing, allowing specially crafted frames with extreme + values to trigger unhandled exceptions. +
+Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P +
+
+ vite is a Native-ESM powered web dev build tool
Affected versions of this package are
+ vulnerable to Missing Authentication for Critical Function via the fetchModule method
+ exposed through the WebSocket interface when the server is explicitly exposed to the network and
+ WebSocket is enabled. An attacker can access arbitrary files on the server by connecting to the
+ WebSocket without an Origin header and invoking fetchModule with a crafted
+ file URL, thereby retrieving sensitive file contents as JavaScript modules.
+
+ Note:
+
+ This is only exploitable if the development server is started with network exposure (such as using
+ --host or the server.host configuration) and WebSocket is not disabled.
+
+ Allows unauthenticated attackers to access arbitrary files on the server, potentially exposing + sensitive source code and configurations. +
++ Missing authentication on the WebSocket interface, allowing unauthenticated access to the fetchModule + method which can read arbitrary files. +
+Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → vite@7.3.0
+ + CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P +
+
+ vite is a Native-ESM powered web dev build tool
Affected versions of this package are
+ vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the
+ server.fs.deny component. An attacker can access sensitive files by appending specific
+ query parameters such as ?raw, ?import&raw, or
+ ?import&url&inline to HTTP requests.
+
+ Note:
+
+ This is only exploitable if the development server is explicitly exposed to the network, the sensitive
+ file exists within directories allowed by server.fs.allow, and the file is denied by a
+ pattern in server.fs.deny.
+
+ Allows attackers to bypass file access restrictions by appending specific query parameters to + requests. +
++ Validation of file access occurs before URL canonicalization, allowing query parameters to bypass + server.fs.deny restrictions. +
+Upgrade vite to version 7.3.2, 8.0.5 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → vite@7.3.0
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N +
+
+ Affected versions of this package are vulnerable to Prototype Pollution via the
+ POSIX_REGEX_SOURCE object. An attacker can cause unintended files to be matched by
+ injecting specially crafted POSIX bracket expressions that reference inherited method names, leading
+ to incorrect glob matching behavior. This can result in security-relevant logic errors in applications
+ that rely on glob matching for filtering, validation, or access control.
+
+ Allows attackers to modify object prototypes, leading to incorrect glob matching behavior that can + bypass security controls. +
++ POSIX_REGEX_SOURCE object uses a regular prototype, allowing inherited method names to be accessed via + crafted POSIX bracket expressions. +
+
+ Upgrade picomatch to version 2.3.2, 3.0.2, 4.0.4 (direct upgrade available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → picomatch@4.0.3
+ + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to HTTP Request Smuggling in the processHeader() while handling
+ HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An
+ attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by
+ sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend
+ servers.
+
+ Allows attackers to bypass access controls, poison caches, hijack credentials, or cause service + disruption through inconsistent HTTP request interpretation. +
++ Improper handling of duplicate Content-Length headers with differing casing in HTTP/1.1 requests, + causing inconsistent request interpretation between proxies and backends. +
+Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N +
+
+ undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this
+ package are vulnerable to CRLF Injection via the upgrade option of the
+ client.request() function. An attacker can inject malicious data into HTTP headers or
+ prematurely terminate HTTP requests by sending specially crafted input, potentially leading to
+ unauthorized information disclosure or bypassing of security controls.
+
+ Allows attackers to inject malicious data into HTTP headers, potentially leading to unauthorized + information disclosure or security control bypass. +
++ Insufficient input sanitization in the upgrade option of the client.request() function, allowing CRLF + characters to be injected into HTTP headers. +
+Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → undici@7.18.2
+ + CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P +
+
+ vite is a Native-ESM powered web dev build tool
Affected versions of this package are
+ vulnerable to Directory Traversal via the handling of .map files in the dev server when
+ resolving file paths. An attacker can access sensitive files outside the project root by injecting
+ ../ segments into the URL, provided the files are valid source map JSON and the server is
+ explicitly exposed to the network with predictable .map file paths.
+
+ Note:
+
+ This is only exploitable if the dev server is started with the --host flag or the
+ server.host configuration option, and sensitive content exists in predictable
+ .map files.
+
+ Allows attackers to access sensitive files outside the intended directory, potentially exposing source + code, configuration, or credentials. +
++ Improper path resolution when handling .map file requests in the dev server, allowing directory + traversal via ../ segments. +
+Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 (direct upgrade available)
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/build@21.1.1 → vite@7.3.0
+ + CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N +
+
+ Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of
+ internationalized attribute bindings. An attacker can execute arbitrary scripts in the
+ context of the application by injecting malicious input into attributes such as href,
+ src, or similar, when these are marked for internationalization and bound to unsanitized
+ user data.
+
+ Note: This is only exploitable if unsanitized user input is bound to a
+ security-sensitive attribute that is also marked with an i18n-<attribute> directive
+ on the same element.
+
+ Allows attackers to execute arbitrary scripts in the context of the application, potentially stealing + session tokens or sensitive data. +
++ Improper handling of internationalized attribute bindings (i18n-<attribute> directives) allows + unsanitized user input to be bound to security-sensitive attributes. +
+
+ Upgrade @angular/compiler to version 19.2.20, 20.3.18, 21.2.4 (direct
+ upgrade available)
+
Upgradable via direct dependency update
+angular-realworld@0.0.0 →
+ @angular/compiler@21.1.1
+ e2e/helpers/auth.ts:56realworld/specs/e2e/helpers/auth.ts:56realworld/specs/api/hurl-to-bruno.js:436src/app/core/auth/services/jwt.service.spec.ts:132src/app/core/auth/services/jwt.service.spec.ts:133src/app/core/auth/services/user.service.spec.ts:100src/app/core/auth/services/user.service.spec.ts:109src/app/core/auth/services/user.service.spec.ts:118src/app/core/auth/services/user.service.spec.ts:133src/app/core/auth/services/user.service.spec.ts:330src/app/core/auth/services/user.service.spec.ts:349src/app/core/auth/services/user.service.spec.ts:145src/app/core/auth/services/user.service.spec.ts:146src/app/core/auth/services/user.service.spec.ts:158src/app/core/auth/services/user.service.spec.ts:159src/app/core/auth/services/user.service.spec.ts:100src/app/core/auth/services/user.service.spec.ts:109src/app/core/auth/services/user.service.spec.ts:118src/app/core/auth/services/user.service.spec.ts:147src/app/core/auth/services/user.service.spec.ts:160src/app/core/auth/services/user.service.spec.ts:173src/app/core/auth/services/user.service.spec.ts:330src/app/core/auth/services/user.service.spec.ts:349+ The Snyk IaC scan found no infrastructure-as-code configuration files (Terraform, + CloudFormation, Kubernetes manifests, Dockerfiles) in this repository. This is expected for a pure frontend + Angular application. +
++ No Dockerfile, docker-compose.yml, Kubernetes manifests, or CI/CD pipeline configurations were detected for + IaC scanning. +
+@angular/build to version
+ 19.2.21, 20.3.17, 21.1.5 @schematics/angular to version
+ 19.2.21, 20.3.17, 21.1.5 ajv to version 6.14.0, 8.18.0 @modelcontextprotocol/sdk to version 1.26.0
+ picomatch to version 2.3.2, 3.0.2, 4.0.4
+ undici to version 6.24.0, 7.24.0 vite to version 6.4.2, 7.3.2, 8.0.5 @angular/compiler to version
+ 19.2.20, 20.3.18, 21.2.4 snyk test and snyk code test to your CI/CD workflow for continuous
+ vulnerability monitoringnpx snyk test --all-projects --devnpx snyk code test
+ | Severity | +CVE / ID | +CVSS | +Package | +Title | +CWE | +Fix Version | +Exploitability | +
|---|---|---|---|---|---|---|---|
| critical | +CVE-2026-27739 | +9.2 | +@angular/build@21.1.1 |
+ Server-side Request Forgery (SSRF) | +CWE-918 | +19.2.21, 20.3.17 | +Not Defined | +
| critical | +CVE-2026-27739 | +9.2 | +@schematics/angular@21.1.1 |
+ Server-side Request Forgery (SSRF) | +CWE-918 | +19.2.21, 20.3.17 | +Not Defined | +
| high | +CVE-2025-69873 | +8.2 | +ajv@8.17.1 |
+ Regular Expression Denial of Service (ReDoS) | +CWE-1333 | +6.14.0, 8.18.0 | +Proof of Concept | +
| high | +CVE-2026-25536 | +7.1 | +@modelcontextprotocol/sdk@1.25.2 |
+ Race Condition | +CWE-362 | +1.26.0 | +Not Defined | +
| high | +CVE-2026-33671 | +8.7 | +picomatch@4.0.3 |
+ Regular Expression Denial of Service (ReDoS) | +CWE-1333 | +2.3.2, 3.0.2 | +Not Defined | +
| high | +CVE-2026-1528 | +8.7 | +undici@7.18.2 |
+ Uncaught Exception | +CWE-248 | +6.24.0, 7.24.0 | +Proof of Concept | +
| high | +CVE-2026-2581 | +8.2 | +undici@7.18.2 |
+ Allocation of Resources Without Limits or Throttling | +CWE-770 | +7.24.0 | +Proof of Concept | +
| high | +CVE-2026-1526 | +8.7 | +undici@7.18.2 |
+ Improper Handling of Highly Compressed Data (Data Amplification) | +CWE-409 | +6.24.0, 7.24.0 | +Proof of Concept | +
| high | +CVE-2026-2229 | +8.7 | +undici@7.18.2 |
+ Uncaught Exception | +CWE-248 | +6.24.0, 7.24.0 | +Proof of Concept | +
| high | +CVE-2026-39363 | +8.2 | +vite@7.3.0 |
+ Missing Authentication for Critical Function | +CWE-306 | +6.4.2, 7.3.2 | +Proof of Concept | +
| high | +CVE-2026-39364 | +8.2 | +vite@7.3.0 |
+ Incorrect Behavior Order: Validate Before Canonicalize | +CWE-180 | +7.3.2, 8.0.5 | +Proof of Concept | +
| medium | +CVE-2026-33672 | +6.9 | +picomatch@4.0.3 |
+ Prototype Pollution | +CWE-1321 | +2.3.2, 3.0.2 | +Not Defined | +
| medium | +CVE-2026-1525 | +6.9 | +undici@7.18.2 |
+ HTTP Request Smuggling | +CWE-444 | +6.24.0, 7.24.0 | +Proof of Concept | +
| medium | +CVE-2026-1527 | +5.1 | +undici@7.18.2 |
+ CRLF Injection | +CWE-93 | +6.24.0, 7.24.0 | +Not Defined | +
| medium | +CVE-2026-39365 | +6.3 | +vite@7.3.0 |
+ Directory Traversal | +CWE-22 | +6.4.2, 7.3.2 | +Proof of Concept | +
| low | +CVE-2026-32635 | +2.1 | +@angular/compiler@21.1.1 |
+ Cross-site Scripting (XSS) | +CWE-79 | +19.2.20, 20.3.18 | +Not Defined | +