Yesterday the Angular team became aware of a bug in the Critters npm package that can lead to cross-site scripting (XSS) vulnerabilities. This issue affects Critters versions 0.0.17, 0.0.18, and 0.0.19. Version 0.0.20 contains a fix.

Angular Universal (specifically @nguniversal/common) versions 16.1.0–16.1.1 depend on the impacted versions of Critters. This vulnerability is fixed in version 16.1.2.

This bug affects applications that use Angular Universal for server-side rendering (SSR). Applications that use build-time prerendering may be affected if they include user-authored data in their pre-rendered HTML. We have no evidence at this time that this bug has been exploited in the wild.

If you depend on any of the affected versions, update your Critters and Angular Universal versions immediately.

Applications that do not use Angular Universal should not be affected. Angular CLI does use Critters in its build process for non-Universal applications, however exploiting the bug in question in this scenario requires a malicious actor to already have access to modify the application source code.

We will follow up with another blog post soon with a more detailed post-mortem.