AIKIDO-2026-11077
@angular/core is vulnerable to Prototype Pollution
42
Medium Risk
This Affects:
@angular/coreTL;DR
Improper handling of user-controlled localeId values in registerLocaleData allowed writes into a plain object used as a shared internal registry, enabling keys such as constructor or prototype to trigger prototype pollution instead of being stored as ordinary data. In long-running SSR environments, this could taint object behavior across requests for the lifetime of the process. An attacker able to call the public API with a crafted locale identifier could inject attacker-controlled properties into Object.prototype, causing unexpected property inheritance, corrupted application state, information leakage through serialization or enumeration, and potentially broader security impact depending on how polluted objects are later consumed.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@angular/core is vulnerable to Prototype Pollution in versions 0.0.1 - 21.2.15.
How to fix this
Upgrade the @angular/core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant