Command
build
Is this a regression?
The previous version in which this bug was not present was
No response
Description
CVE-2026-55603
Impact
When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend:
Validation / access-control bypass bypass gateway-side field checks (demonstrated below: a gateway that forbids role=admin is bypassed; backend grants admin).
Parameter tampering add or overwrite fields the backend trusts (IDs, flags, prices).
File-part injection inject a filename="..." part into the upstream multipart stream.
Upgrade http-proxy-middleware from 3.0.5 to 3.0.7 to fix the vulnerability.
Minimal Reproduction
N/A
Angular version 20.3.x
Exception or Error
Your Environment
Anything else relevant?
No response
Command
build
Is this a regression?
The previous version in which this bug was not present was
No response
Description
CVE-2026-55603
Impact
When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend:
Validation / access-control bypass bypass gateway-side field checks (demonstrated below: a gateway that forbids role=admin is bypassed; backend grants admin).
Parameter tampering add or overwrite fields the backend trusts (IDs, flags, prices).
File-part injection inject a filename="..." part into the upstream multipart stream.
Upgrade http-proxy-middleware from 3.0.5 to 3.0.7 to fix the vulnerability.
Minimal Reproduction
N/A
Angular version 20.3.x
Exception or Error
Your Environment
Anything else relevant?
No response