Search criteria
6 vulnerabilities found for angular-cli by angular
CVE-2026-27739 (GCVE-0-2026-27739)
Vulnerability from nvd – Published: 2026-02-25 16:47 – Updated: 2026-02-25 16:47
VLAI?
Title
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| angular | angular-cli |
Affected:
>= 21.2.0-next.2, < 21.2.0-rc.0
Affected: >= 21.0.0-next.0, < 21.1.5 Affected: >= 20.0.0-next.0, < 20.3.17 Affected: < 19.2.21 |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0, \u003c 21.1.5"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0, \u003c 20.3.17"
},
{
"status": "affected",
"version": "\u003c 19.2.21"
}
]
},
{
"product": "@nguniversal/common",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
},
{
"product": "@nguniversal/express-engine",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain. Specifically, the framework didn\u0027t have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:47:29.705Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
},
{
"name": "https://github.com/angular/angular-cli/pull/32516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/pull/32516"
},
{
"name": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf",
"tags": [
"x_refsource_MISC"
],
"url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
}
],
"source": {
"advisory": "GHSA-x288-3778-4hhx",
"discovery": "UNKNOWN"
},
"title": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27739",
"datePublished": "2026-02-25T16:47:29.705Z",
"dateReserved": "2026-02-23T18:37:14.790Z",
"dateUpdated": "2026-02-25T16:47:29.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27738 (GCVE-0-2026-27738)
Vulnerability from nvd – Published: 2026-02-25 16:40 – Updated: 2026-02-25 16:40
VLAI?
Title
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| angular | angular-cli |
Affected:
>= 21.2.0-next.2, < 21.2.0-rc.0
Affected: >= 21.0.0-next.0, < 21.1.5 Affected: >= 20.0.0-next.0, < 20.3.17 Affected: >= 19.0.0-next.0, < 19.2.21 |
{
"containers": {
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0, \u003c 21.1.5"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0, \u003c 20.3.17"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-next.0, \u003c 19.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:40:44.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj"
},
{
"name": "https://github.com/angular/angular-cli/issues/32501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/issues/32501"
},
{
"name": "https://github.com/angular/angular-cli/pull/32521",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/pull/32521"
},
{
"name": "https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e"
}
],
"source": {
"advisory": "GHSA-xh43-g2fq-wjrj",
"discovery": "UNKNOWN"
},
"title": "Angular SSR has an Open Redirect via X-Forwarded-Prefix"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27738",
"datePublished": "2026-02-25T16:40:44.724Z",
"dateReserved": "2026-02-23T18:37:14.790Z",
"dateUpdated": "2026-02-25T16:40:44.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62427 (GCVE-0-2025-62427)
Vulnerability from nvd – Published: 2025-10-16 18:50 – Updated: 2025-10-17 13:24
VLAI?
Title
Server-Side Request Forgery (SSRF) in Angular SSR
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| angular | angular-cli |
Affected:
>=19.0.0-next.0, < 19.2.18
Affected: >=20.0.0-next.0, < 20.3.6 Affected: >=21.0.0-next.0, < 21.0.0-next.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62427",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T19:33:05.989848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:33:28.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e=19.0.0-next.0, \u003c 19.2.18"
},
{
"status": "affected",
"version": "\u003e=20.0.0-next.0, \u003c 20.3.6"
},
{
"status": "affected",
"version": "\u003e=21.0.0-next.0, \u003c 21.0.0-next.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular\u0027s Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page\u0027s virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get(\u0027assets/data.json\u0027)) will be incorrectly resolved against the attacker\u0027s domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T13:24:15.389Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr"
},
{
"name": "https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb"
}
],
"source": {
"advisory": "GHSA-q63q-pgmf-mxhr",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in Angular SSR"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62427",
"datePublished": "2025-10-16T18:50:11.598Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-17T13:24:15.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-27739 (GCVE-0-2026-27739)
Vulnerability from cvelistv5 – Published: 2026-02-25 16:47 – Updated: 2026-02-25 16:47
VLAI?
Title
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| angular | angular-cli |
Affected:
>= 21.2.0-next.2, < 21.2.0-rc.0
Affected: >= 21.0.0-next.0, < 21.1.5 Affected: >= 20.0.0-next.0, < 20.3.17 Affected: < 19.2.21 |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0, \u003c 21.1.5"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0, \u003c 20.3.17"
},
{
"status": "affected",
"version": "\u003c 19.2.21"
}
]
},
{
"product": "@nguniversal/common",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
},
{
"product": "@nguniversal/express-engine",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain. Specifically, the framework didn\u0027t have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:47:29.705Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
},
{
"name": "https://github.com/angular/angular-cli/pull/32516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/pull/32516"
},
{
"name": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf",
"tags": [
"x_refsource_MISC"
],
"url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
}
],
"source": {
"advisory": "GHSA-x288-3778-4hhx",
"discovery": "UNKNOWN"
},
"title": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27739",
"datePublished": "2026-02-25T16:47:29.705Z",
"dateReserved": "2026-02-23T18:37:14.790Z",
"dateUpdated": "2026-02-25T16:47:29.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27738 (GCVE-0-2026-27738)
Vulnerability from cvelistv5 – Published: 2026-02-25 16:40 – Updated: 2026-02-25 16:40
VLAI?
Title
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| angular | angular-cli |
Affected:
>= 21.2.0-next.2, < 21.2.0-rc.0
Affected: >= 21.0.0-next.0, < 21.1.5 Affected: >= 20.0.0-next.0, < 20.3.17 Affected: >= 19.0.0-next.0, < 19.2.21 |
{
"containers": {
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0, \u003c 21.1.5"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0, \u003c 20.3.17"
},
{
"status": "affected",
"version": "\u003e= 19.0.0-next.0, \u003c 19.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:40:44.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj"
},
{
"name": "https://github.com/angular/angular-cli/issues/32501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/issues/32501"
},
{
"name": "https://github.com/angular/angular-cli/pull/32521",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/pull/32521"
},
{
"name": "https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e"
}
],
"source": {
"advisory": "GHSA-xh43-g2fq-wjrj",
"discovery": "UNKNOWN"
},
"title": "Angular SSR has an Open Redirect via X-Forwarded-Prefix"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27738",
"datePublished": "2026-02-25T16:40:44.724Z",
"dateReserved": "2026-02-23T18:37:14.790Z",
"dateUpdated": "2026-02-25T16:40:44.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62427 (GCVE-0-2025-62427)
Vulnerability from cvelistv5 – Published: 2025-10-16 18:50 – Updated: 2025-10-17 13:24
VLAI?
Title
Server-Side Request Forgery (SSRF) in Angular SSR
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| angular | angular-cli |
Affected:
>=19.0.0-next.0, < 19.2.18
Affected: >=20.0.0-next.0, < 20.3.6 Affected: >=21.0.0-next.0, < 21.0.0-next.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62427",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T19:33:05.989848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:33:28.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e=19.0.0-next.0, \u003c 19.2.18"
},
{
"status": "affected",
"version": "\u003e=20.0.0-next.0, \u003c 20.3.6"
},
{
"status": "affected",
"version": "\u003e=21.0.0-next.0, \u003c 21.0.0-next.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular\u0027s Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page\u0027s virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get(\u0027assets/data.json\u0027)) will be incorrectly resolved against the attacker\u0027s domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T13:24:15.389Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr"
},
{
"name": "https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb"
}
],
"source": {
"advisory": "GHSA-q63q-pgmf-mxhr",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in Angular SSR"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62427",
"datePublished": "2025-10-16T18:50:11.598Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-17T13:24:15.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}