From 71c24cb721a4c5612513f684767e993230a3f427 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 19:58:00 +0000 Subject: [PATCH] Add Snyk vulnerability scan report with detailed CVE assessment - 16 SCA vulnerabilities (2 critical, 9 high, 4 medium, 1 low) - 25 SAST code issues from Snyk Code scan - Detailed assessment: CVE scores, severity, impact, root cause, remediation - Executive summary with severity breakdown - Synthesized remediation plan with prioritized steps - Complete vulnerability assessment table Co-Authored-By: sachet.agarwal --- snyk-vulnerability-report.html | 2488 ++++++++++++++++++++++++++++++++ 1 file changed, 2488 insertions(+) create mode 100644 snyk-vulnerability-report.html diff --git a/snyk-vulnerability-report.html b/snyk-vulnerability-report.html new file mode 100644 index 000000000..3feb07ea5 --- /dev/null +++ b/snyk-vulnerability-report.html @@ -0,0 +1,2488 @@ + + + + + + Snyk Vulnerability Report - angular-realworld-example-app + + + +
+
+

Snyk Vulnerability Scan Report

+
angular-realworld-example-app (COG-GTM)
+
+ Scan Date: April 16, 2026 19:57 UTC + Snyk CLI: v1.1304.0 + Node: v20.20.2 + Dependencies Scanned: 606 +
+
+ +
+
+
41
+
Total Issues
+
+
+
2
+
Critical
+
+
+
9
+
High
+
+
+
6
+
Medium
+
+
+
24
+
Low
+
+
+ +
+

+ Section 1: Critical & High Severity Findings (SCA - Open Source) +

+ +
+
+ +
+ critical +
+
Server-side Request Forgery (SSRF)
+
+ @angular/build@21.1.1  |  CVSS: 9.2  |  + CVE-2026-27739 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 9.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ @angular/build is an Official build system for Angular

Affected versions of this package + are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper + validation of user-controlled HTTP headers such as Host and X-Forwarded-*. + An attacker can redirect internal server requests to arbitrary external or internal destinations, + potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to + influence URL resolution and request routing. + + Note: + + This is only exploitable if the application uses server-side rendering, performs HTTP requests using + relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or + validate incoming headers. +

+
+
+

Impact

+

+ Allows attackers to make server-side requests to internal/external resources, potentially exposing + sensitive data, probing internal networks, or bypassing access controls. +

+
+
+

Root Cause

+

+ Improper validation of user-controlled HTTP headers (Host, X-Forwarded-*) in the request handling + pipeline, allowing manipulation of URL resolution and request routing. +

+
+
+

Remediation

+

+ Upgrade @angular/build to version 19.2.21, 20.3.17, 21.1.5 (direct upgrade + available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1 +
+
+
+
+ +
+
+ +
+ critical +
+
Server-side Request Forgery (SSRF)
+
+ @schematics/angular@21.1.1  |  CVSS: 9.2  |  + CVE-2026-27739 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 9.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ @schematics/angular is a Schematics specific to Angular

Affected versions of this package + are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper + validation of user-controlled HTTP headers such as Host and X-Forwarded-*. + An attacker can redirect internal server requests to arbitrary external or internal destinations, + potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to + influence URL resolution and request routing. + + Note: + + This is only exploitable if the application uses server-side rendering, performs HTTP requests using + relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or + validate incoming headers. +

+
+
+

Impact

+

+ Allows attackers to make server-side requests to internal/external resources, potentially exposing + sensitive data, probing internal networks, or bypassing access controls. +

+
+
+

Root Cause

+

+ Improper validation of user-controlled HTTP headers (Host, X-Forwarded-*) in the request handling + pipeline, allowing manipulation of URL resolution and request routing. +

+
+
+

Remediation

+

+ Upgrade @schematics/angular to version 19.2.21, 20.3.17, 21.1.5 (direct + upgrade available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/cli@21.1.1@schematics/angular@21.1.1 +
+
+
+
+ +
+
+ +
+ high +
+
Regular Expression Denial of Service (ReDoS)
+
+ ajv@8.17.1  |  CVSS: 8.2  |  + CVE-2025-69873 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +

+
+
+

Identifiers

+
    +
  • Snyk ID: SNYK-JS-AJV-15274295
    • +
  • + CVE: + CVE-2025-69873 +
    • +
  • + CWE: + CWE-1333 +
    • +
  • GHSA: N/A
    • +
  • Exploit Maturity: Proof of Concept
    • +
+
+
+
+

Description

+

+ ajv is an Another JSON Schema Validator

Affected versions of this package are vulnerable to + Regular Expression Denial of Service (ReDoS) due to improper validation of the + pattern keyword when combined with $data references. An attacker can cause + the application to become unresponsive and exhaust CPU resources by submitting a specially crafted + regular expression payload. + + Note: + + This is only exploitable if the $data option is enabled. +

+
+
+

Impact

+

+ Allows attackers to exhaust CPU resources by providing crafted input, causing application + unresponsiveness and denial of service. +

+
+
+

Root Cause

+

+ Improper validation of the pattern keyword when combined with $data references, allowing crafted + regular expression patterns that trigger catastrophic backtracking. +

+
+
+

Remediation

+

Upgrade ajv to version 6.14.0, 8.18.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/cli@21.1.1@angular-devkit/core@21.1.1 → + ajv@8.17.1 +
+
+
+
+ +
+
+ +
+ high +
+
Race Condition
+
+ @modelcontextprotocol/sdk@1.25.2  |  CVSS: 7.1  |  + CVE-2026-25536 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 7.1 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ @modelcontextprotocol/sdk is a Model Context Protocol implementation for TypeScript

Affected + versions of this package are vulnerable to Race Condition via the reuse of a single + McpServer or Server instance and transport across multiple concurrent client + connections. An attacker can access response data intended for other clients by exploiting JSON-RPC + message ID collisions, which causes responses to be misrouted between clients.

Note:

This is only exploitable if a server instance is shared across concurrent client sessions + and clients generate overlapping message IDs. +

+
+
+

Impact

+

+ Allows attackers to access response data intended for other clients, potentially exposing sensitive + information. +

+
+
+

Root Cause

+

+ Shared McpServer instance reuse across concurrent client connections with overlapping JSON-RPC message + IDs causes response misrouting. +

+
+
+

Remediation

+

+ Upgrade @modelcontextprotocol/sdk to version 1.26.0 (direct upgrade + available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/cli@21.1.1@modelcontextprotocol/sdk@1.25.2 +
+
+
+
+ +
+
+ +
+ high +
+
Regular Expression Denial of Service (ReDoS)
+
+ picomatch@4.0.3  |  CVSS: 8.7  |  + CVE-2026-33671 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.7 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when + processing crafted extglob patterns. An attacker can cause excessive CPU consumption and block the + event loop by supplying crafted extglob patterns that trigger catastrophic backtracking in regular + expressions. +

+
+
+

Impact

+

+ Allows attackers to exhaust CPU resources by providing crafted input, causing application + unresponsiveness and denial of service. +

+
+
+

Root Cause

+

+ Improper validation of the pattern keyword when combined with $data references, allowing crafted + regular expression patterns that trigger catastrophic backtracking. +

+
+
+

Remediation

+

+ Upgrade picomatch to version 2.3.2, 3.0.2, 4.0.4 (direct upgrade available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1picomatch@4.0.3 +
+
+
+
+ +
+
+ +
+ high +
+
Uncaught Exception
+
+ undici@7.18.2  |  CVSS: 8.7  |  + CVE-2026-1528 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.7 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +

+
+
+

Identifiers

+
    +
  • Snyk ID: SNYK-JS-UNDICI-15518064
    • +
  • + CVE: + CVE-2026-1528 +
    • +
  • + CWE: + CWE-248 +
    • +
  • GHSA: N/A
    • +
  • Exploit Maturity: Proof of Concept
    • +
+
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted + WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to terminate + unexpectedly by sending such a frame, resulting in a fatal TypeError and service disruption. +

+
+
+

Impact

+

+ Allows attackers to crash the application by triggering unhandled exceptions, resulting in denial of + service. +

+
+
+

Root Cause

+

+ Missing input validation in WebSocket frame processing, allowing specially crafted frames with extreme + values to trigger unhandled exceptions. +

+
+
+

Remediation

+

Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ high +
+
Allocation of Resources Without Limits or Throttling
+
+ undici@7.18.2  |  CVSS: 8.2  |  + CVE-2026-2581 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +

+
+
+

Identifiers

+
    +
  • Snyk ID: SNYK-JS-UNDICI-15518066
    • +
  • + CVE: + CVE-2026-2581 +
    • +
  • + CWE: + CWE-770 +
    • +
  • GHSA: N/A
    • +
  • Exploit Maturity: Proof of Concept
    • +
+
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to Allocation of Resources Without Limits or Throttling in the + deduplication-handler component when interceptors.deduplicate() is enabled. An attacker + can cause excessive memory consumption and potential application termination by sending large or + chunked responses along with concurrent identical requests from an untrusted endpoint. +

+
+
+

Impact

+

+ Allows attackers to exhaust memory resources, potentially crashing the application and causing denial + of service. +

+
+
+

Root Cause

+

+ Missing resource limits in the deduplication-handler component when processing large or chunked + responses with concurrent identical requests. +

+
+
+

Remediation

+

Upgrade undici to version 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ high +
+
Improper Handling of Highly Compressed Data (Data Amplification)
+
+ undici@7.18.2  |  CVSS: 8.7  |  + CVE-2026-1526 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.7 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the + PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker + can cause excessive memory usage by sending specially crafted compressed WebSocket frames that + decompress to a very large size, potentially leading to process crashes or unresponsiveness. +

+
+
+

Impact

+

+ Allows attackers to cause excessive memory usage via compressed data that decompresses to a very large + size, leading to service crashes. +

+
+
+

Root Cause

+

+ Missing decompression size limits in the permessage-deflate WebSocket extension, allowing compressed + data to expand to an unlimited size in memory. +

+
+
+

Remediation

+

Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ high +
+
Uncaught Exception
+
+ undici@7.18.2  |  CVSS: 8.7  |  + CVE-2026-2229 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.7 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to Uncaught Exception through improper validation of the + server_max_window_bits parameter in the permessage-deflate extension. An attacker can + cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid + range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw + instance. +

+
+
+

Impact

+

+ Allows attackers to crash the application by triggering unhandled exceptions, resulting in denial of + service. +

+
+
+

Root Cause

+

+ Missing input validation in WebSocket frame processing, allowing specially crafted frames with extreme + values to trigger unhandled exceptions. +

+
+
+

Remediation

+

Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ high +
+
Missing Authentication for Critical Function
+
+ vite@7.3.0  |  CVSS: 8.2  |  + CVE-2026-39363 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ vite is a Native-ESM powered web dev build tool

Affected versions of this package are + vulnerable to Missing Authentication for Critical Function via the fetchModule method + exposed through the WebSocket interface when the server is explicitly exposed to the network and + WebSocket is enabled. An attacker can access arbitrary files on the server by connecting to the + WebSocket without an Origin header and invoking fetchModule with a crafted + file URL, thereby retrieving sensitive file contents as JavaScript modules. + + Note: + + This is only exploitable if the development server is started with network exposure (such as using + --host or the server.host configuration) and WebSocket is not disabled. +

+
+
+

Impact

+

+ Allows unauthenticated attackers to access arbitrary files on the server, potentially exposing + sensitive source code and configurations. +

+
+
+

Root Cause

+

+ Missing authentication on the WebSocket interface, allowing unauthenticated access to the fetchModule + method which can read arbitrary files. +

+
+
+

Remediation

+

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1vite@7.3.0 +
+
+
+
+ +
+
+ +
+ high +
+
Incorrect Behavior Order: Validate Before Canonicalize
+
+ vite@7.3.0  |  CVSS: 8.2  |  + CVE-2026-39364 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 8.2 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ vite is a Native-ESM powered web dev build tool

Affected versions of this package are + vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the + server.fs.deny component. An attacker can access sensitive files by appending specific + query parameters such as ?raw, ?import&raw, or + ?import&url&inline to HTTP requests. + + Note: + + This is only exploitable if the development server is explicitly exposed to the network, the sensitive + file exists within directories allowed by server.fs.allow, and the file is denied by a + pattern in server.fs.deny. +

+
+
+

Impact

+

+ Allows attackers to bypass file access restrictions by appending specific query parameters to + requests. +

+
+
+

Root Cause

+

+ Validation of file access occurs before URL canonicalization, allowing query parameters to bypass + server.fs.deny restrictions. +

+
+
+

Remediation

+

Upgrade vite to version 7.3.2, 8.0.5 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1vite@7.3.0 +
+
+
+
+ +
+
+ +
+ medium +
+
Prototype Pollution
+
+ picomatch@4.0.3  |  CVSS: 6.9  |  + CVE-2026-33672 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 6.9 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ Affected versions of this package are vulnerable to Prototype Pollution via the + POSIX_REGEX_SOURCE object. An attacker can cause unintended files to be matched by + injecting specially crafted POSIX bracket expressions that reference inherited method names, leading + to incorrect glob matching behavior. This can result in security-relevant logic errors in applications + that rely on glob matching for filtering, validation, or access control. +

+
+
+

Impact

+

+ Allows attackers to modify object prototypes, leading to incorrect glob matching behavior that can + bypass security controls. +

+
+
+

Root Cause

+

+ POSIX_REGEX_SOURCE object uses a regular prototype, allowing inherited method names to be accessed via + crafted POSIX bracket expressions. +

+
+
+

Remediation

+

+ Upgrade picomatch to version 2.3.2, 3.0.2, 4.0.4 (direct upgrade available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1picomatch@4.0.3 +
+
+
+
+ +
+
+ +
+ medium +
+
HTTP Request Smuggling
+
+ undici@7.18.2  |  CVSS: 6.9  |  + CVE-2026-1525 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 6.9 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P +

+
+
+

Identifiers

+
    +
  • Snyk ID: SNYK-JS-UNDICI-15518061
    • +
  • + CVE: + CVE-2026-1525 +
    • +
  • + CWE: + CWE-444 +
    • +
  • GHSA: N/A
    • +
  • Exploit Maturity: Proof of Concept
    • +
+
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to HTTP Request Smuggling in the processHeader() while handling + HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An + attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by + sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend + servers. +

+
+
+

Impact

+

+ Allows attackers to bypass access controls, poison caches, hijack credentials, or cause service + disruption through inconsistent HTTP request interpretation. +

+
+
+

Root Cause

+

+ Improper handling of duplicate Content-Length headers with differing casing in HTTP/1.1 requests, + causing inconsistent request interpretation between proxies and backends. +

+
+
+

Remediation

+

Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ medium +
+
CRLF Injection
+
+ undici@7.18.2  |  CVSS: 5.1  |  + CVE-2026-1527 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 5.1 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N +

+
+
+

Identifiers

+
    +
  • Snyk ID: SNYK-JS-UNDICI-15518072
    • +
  • + CVE: + CVE-2026-1527 +
    • +
  • + CWE: + CWE-93 +
    • +
  • GHSA: N/A
    • +
  • Exploit Maturity: Not Defined
    • +
+
+
+
+

Description

+

+ undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this + package are vulnerable to CRLF Injection via the upgrade option of the + client.request() function. An attacker can inject malicious data into HTTP headers or + prematurely terminate HTTP requests by sending specially crafted input, potentially leading to + unauthorized information disclosure or bypassing of security controls. +

+
+
+

Impact

+

+ Allows attackers to inject malicious data into HTTP headers, potentially leading to unauthorized + information disclosure or security control bypass. +

+
+
+

Root Cause

+

+ Insufficient input sanitization in the upgrade option of the client.request() function, allowing CRLF + characters to be injected into HTTP headers. +

+
+
+

Remediation

+

Upgrade undici to version 6.24.0, 7.24.0 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1undici@7.18.2 +
+
+
+
+ +
+
+ +
+ medium +
+
Directory Traversal
+
+ vite@7.3.0  |  CVSS: 6.3  |  + CVE-2026-39365 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 6.3 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ vite is a Native-ESM powered web dev build tool

Affected versions of this package are + vulnerable to Directory Traversal via the handling of .map files in the dev server when + resolving file paths. An attacker can access sensitive files outside the project root by injecting + ../ segments into the URL, provided the files are valid source map JSON and the server is + explicitly exposed to the network with predictable .map file paths. + + Note: + + This is only exploitable if the dev server is started with the --host flag or the + server.host configuration option, and sensitive content exists in predictable + .map files. +

+
+
+

Impact

+

+ Allows attackers to access sensitive files outside the intended directory, potentially exposing source + code, configuration, or credentials. +

+
+
+

Root Cause

+

+ Improper path resolution when handling .map file requests in the dev server, allowing directory + traversal via ../ segments. +

+
+
+

Remediation

+

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 (direct upgrade available)

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/build@21.1.1vite@7.3.0 +
+
+
+
+ +
+
+ +
+ low +
+
Cross-site Scripting (XSS)
+
+ @angular/compiler@21.1.1  |  CVSS: 2.1  |  + CVE-2026-32635 +
+
+ +
+ +
+
+
+

CVSS Details

+
+ 2.1 + / 10.0 +
+

+ CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N +

+
+
+

Identifiers

+ +
+
+
+

Description

+

+ Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the handling of + internationalized attribute bindings. An attacker can execute arbitrary scripts in the + context of the application by injecting malicious input into attributes such as href, + src, or similar, when these are marked for internationalization and bound to unsanitized + user data. + + Note: This is only exploitable if unsanitized user input is bound to a + security-sensitive attribute that is also marked with an i18n-<attribute> directive + on the same element. +

+
+
+

Impact

+

+ Allows attackers to execute arbitrary scripts in the context of the application, potentially stealing + session tokens or sensitive data. +

+
+
+

Root Cause

+

+ Improper handling of internationalized attribute bindings (i18n-<attribute> directives) allows + unsanitized user input to be bound to security-sensitive attributes. +

+
+
+

Remediation

+

+ Upgrade @angular/compiler to version 19.2.20, 20.3.18, 21.2.4 (direct + upgrade available) +

+

Upgradable via direct dependency update

+
+
+ Dependency Path: angular-realworld@0.0.0 → + @angular/compiler@21.1.1 +
+
+
+
+
+ +
+

+ 🔎 Section 2: Code Analysis Findings (SAST - Snyk Code) +

+ +
+
+ +
+ Medium +
+
Use of Hardcoded Passwords
+
+ 2 occurrence(s)  |  CWE: + CWE-798, + CWE-259 +
+
+ +
+ +
+
+

Affected Locations

+
    +
  • + e2e/helpers/auth.ts:56
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + realworld/specs/e2e/helpers/auth.ts:56
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
+
+
+
+
+ +
+
+ +
+ Low +
+
Improper Type Validation
+
+ 1 occurrence(s)  |  CWE: + CWE-1287 +
+
+ +
+ +
+
+

Affected Locations

+
    +
  • + realworld/specs/api/hurl-to-bruno.js:436
    Improper Type Validation: The type of this object, coming from body and the value of its split + prope... +
    • +
+
+
+
+
+ +
+
+ +
+ Low +
+
Hardcoded Non-Cryptographic Secret
+
+ 2 occurrence(s)  |  CWE: + CWE-547 +
+
+ +
+ +
+
+

Affected Locations

+
    +
  • + src/app/core/auth/services/jwt.service.spec.ts:132
    Hardcoded Non-Cryptographic Secret: Avoid hardcoding values that are meant to be secret. Found a + har... +
    • +
  • + src/app/core/auth/services/jwt.service.spec.ts:133
    Hardcoded Non-Cryptographic Secret: Avoid hardcoding values that are meant to be secret. Found a + har... +
    • +
+
+
+
+
+ +
+
+ +
+ Low +
+
Use of Hardcoded Credentials
+
+ 12 occurrence(s)  |  CWE: + CWE-798 +
+
+ +
+ +
+
+

Affected Locations

+
    +
  • + src/app/core/auth/services/user.service.spec.ts:100
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:109
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:118
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:133
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:330
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:349
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:145
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:146
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:158
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:159
    Use of Hardcoded Credentials: Do not hardcode credentials in code. Found hardcoded credential + used i... +
    • +
  • ...and 2 more locations
    • +
+
+
+
+
+ +
+
+ +
+ Low +
+
Use of Hardcoded Passwords
+
+ 8 occurrence(s)  |  CWE: + CWE-798, + CWE-259 +
+
+ +
+ +
+
+

Affected Locations

+
    +
  • + src/app/core/auth/services/user.service.spec.ts:100
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:109
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:118
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:147
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:160
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:173
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:330
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
  • + src/app/core/auth/services/user.service.spec.ts:349
    Use of Hardcoded Passwords: Do not hardcode passwords in code. Found hardcoded password used in + pass... +
    • +
+
+
+
+
+
+ +
+

Section 3: Infrastructure Findings (IaC Scan)

+
+

+ The Snyk IaC scan found no infrastructure-as-code configuration files (Terraform, + CloudFormation, Kubernetes manifests, Dockerfiles) in this repository. This is expected for a pure frontend + Angular application. +

+

+ No Dockerfile, docker-compose.yml, Kubernetes manifests, or CI/CD pipeline configurations were detected for + IaC scanning. +

+
+
+ +
+

🔨 Section 4: Snyk MCP Integration Assessment

+
+

Tool Performance & Scan Coverage

+
+
+
SCA Scan (Open Source)
+
Completed
+
16 vulnerabilities found across 606 dependencies
+
+
+
SAST Scan (Code Analysis)
+
Completed
+
25 code issues found across source files
+
+
+
IaC Scan
+
N/A
+
No IaC files present in repository
+
+
+
Container Scan
+
N/A
+
No container images available
+
+
+
Authentication
+
Authenticated
+
+ User: Jake Cosme | Org: 9e26acce-22c7-4efc-b470-21d9587f49fe +
+
+
+
+
+ +
+

🛠 Section 5: Synthesized Remediation Plan

+
+

Prioritized Remediation Steps

+
    +
  1. + [CRITICAL] Update @angular/build to version + 19.2.21, 20.3.17, 21.1.5
    Addresses: Server-side Request Forgery (SSRF) +
    Direct upgrade available +
    2. + +
  2. + [CRITICAL] Update @schematics/angular to version + 19.2.21, 20.3.17, 21.1.5
    Addresses: Server-side Request Forgery (SSRF) +
    Direct upgrade available +
    3. + +
  3. + [HIGH] Update ajv to version 6.14.0, 8.18.0
    Addresses: Regular Expression Denial of Service (ReDoS) +
    Direct upgrade available +
    4. + +
  4. + [HIGH] Update @modelcontextprotocol/sdk to version 1.26.0 +
    Addresses: Race Condition
    Direct upgrade available +
    5. + +
  5. + [HIGH] Update picomatch to version 2.3.2, 3.0.2, 4.0.4 +
    Addresses: Regular Expression Denial of Service (ReDoS), Prototype Pollution +
    Direct upgrade available +
    6. + +
  6. + [HIGH] Update undici to version 6.24.0, 7.24.0
    Addresses: Uncaught Exception, Allocation of Resources Without Limits or Throttling, Improper Handling + of Highly Compressed Data (Data Amplification) +
    Direct upgrade available +
    7. + +
  7. + [HIGH] Update vite to version 6.4.2, 7.3.2, 8.0.5
    Addresses: Missing Authentication for Critical Function, Incorrect Behavior Order: Validate Before + Canonicalize, Directory Traversal +
    Direct upgrade available +
    8. + +
  8. + [LOW] Update @angular/compiler to version + 19.2.20, 20.3.18, 21.2.4
    Addresses: Cross-site Scripting (XSS) +
    Direct upgrade available +
    9. + +
  9. + [CODE] Address hardcoded credentials in test files
    Use environment variables or test fixtures instead of hardcoded passwords/tokens in spec files and e2e + helpers +
    10. +
  10. + [CI/CD] Integrate Snyk into CI pipeline
    Add snyk test and snyk code test to your CI/CD workflow for continuous + vulnerability monitoring
    npx snyk test --all-projects --dev
    npx snyk code test +
    11. +
+
+
+ +
+

+ 📊 Section 6: Complete Vulnerability Assessment Table +

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SeverityCVE / IDCVSSPackageTitleCWEFix VersionExploitability
criticalCVE-2026-277399.2@angular/build@21.1.1Server-side Request Forgery (SSRF)CWE-91819.2.21, 20.3.17Not Defined
criticalCVE-2026-277399.2@schematics/angular@21.1.1Server-side Request Forgery (SSRF)CWE-91819.2.21, 20.3.17Not Defined
highCVE-2025-698738.2ajv@8.17.1Regular Expression Denial of Service (ReDoS)CWE-13336.14.0, 8.18.0Proof of Concept
highCVE-2026-255367.1@modelcontextprotocol/sdk@1.25.2Race ConditionCWE-3621.26.0Not Defined
highCVE-2026-336718.7picomatch@4.0.3Regular Expression Denial of Service (ReDoS)CWE-13332.3.2, 3.0.2Not Defined
highCVE-2026-15288.7undici@7.18.2Uncaught ExceptionCWE-2486.24.0, 7.24.0Proof of Concept
highCVE-2026-25818.2undici@7.18.2Allocation of Resources Without Limits or ThrottlingCWE-7707.24.0Proof of Concept
highCVE-2026-15268.7undici@7.18.2Improper Handling of Highly Compressed Data (Data Amplification)CWE-4096.24.0, 7.24.0Proof of Concept
highCVE-2026-22298.7undici@7.18.2Uncaught ExceptionCWE-2486.24.0, 7.24.0Proof of Concept
highCVE-2026-393638.2vite@7.3.0Missing Authentication for Critical FunctionCWE-3066.4.2, 7.3.2Proof of Concept
highCVE-2026-393648.2vite@7.3.0Incorrect Behavior Order: Validate Before CanonicalizeCWE-1807.3.2, 8.0.5Proof of Concept
mediumCVE-2026-336726.9picomatch@4.0.3Prototype PollutionCWE-13212.3.2, 3.0.2Not Defined
mediumCVE-2026-15256.9undici@7.18.2HTTP Request SmugglingCWE-4446.24.0, 7.24.0Proof of Concept
mediumCVE-2026-15275.1undici@7.18.2CRLF InjectionCWE-936.24.0, 7.24.0Not Defined
mediumCVE-2026-393656.3vite@7.3.0Directory TraversalCWE-226.4.2, 7.3.2Proof of Concept
lowCVE-2026-326352.1@angular/compiler@21.1.1Cross-site Scripting (XSS)CWE-7919.2.20, 20.3.18Not Defined
+
+
+ +
+

Generated by Snyk CLI v1.1304.0 + Snyk MCP | Scan Date: April 16, 2026 19:57 UTC

+

Repository: COG-GTM/angular-realworld-example-app | Scans: SCA (Open Source) + SAST (Code) + IaC

+
+
+ +