@angular-devkit/build-angular is vulnerable to OS Command Injection
44
Medium Risk
The ssr-dev-server builder in @angular-devkit/build-angular starts the SSR server by joining the command and its arguments into a single string and running it with a shell enabled. The server output path taken from the project angular.json configuration is inserted into that string with manual quoting, so a crafted output path value containing shell command substitution or metacharacters is evaluated by the shell when the dev server starts. This allows arbitrary operating system commands to run with the privileges of the developer executing the build. The fix passes the command and arguments separately to the process spawn call and removes the manual quoting and the shell option.
You are affected if you are using a version that falls within the vulnerable range and you run the ssr-dev-server builder on a project whose output path configuration comes from an untrusted source.
@angular-devkit/build-angular is vulnerable to OS Command Injection in versions 17.0.0 - 22.0.4.
Upgrade the @angular-devkit/build-angular library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant