FKIE_CVE-2026-27739

Vulnerability from fkie_nvd - Published: 2026-02-25 18:23 - Updated: 2026-04-15 00:35
Severity ?
9.2 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
References
security-advisories@github.comhttps://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
security-advisories@github.comhttps://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF
security-advisories@github.comhttps://github.com/angular/angular-cli/pull/32516
security-advisories@github.comhttps://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain. Specifically, the framework didn\u0027t have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames."
    },
    {
      "lang": "es",
      "value": "Angular SSR es una herramienta de renderizado del lado del servidor para aplicaciones Angular. Las versiones anteriores a 21.2.0-rc.1, 21.1.5, 20.3.17 y 19.2.21 tienen una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en la cadena de manejo de peticiones de Angular SSR. La vulnerabilidad existe porque la l\u00f3gica interna de reconstrucci\u00f3n de URL de Angular conf\u00eda y consume directamente los encabezados HTTP controlados por el usuario, espec\u00edficamente los de la familia Host y \u0027X-Forwarded-*\u0027, para determinar el origen base de la aplicaci\u00f3n sin ninguna validaci\u00f3n del dominio de destino. Espec\u00edficamente, el framework no ten\u00eda comprobaciones para el dominio del host, la sanitizaci\u00f3n de rutas y caracteres, y la validaci\u00f3n del puerto. Esta vulnerabilidad se manifiesta de dos formas principales: resoluci\u00f3n impl\u00edcita de URL relativas y construcci\u00f3n manual expl\u00edcita. Cuando se explota con \u00e9xito, esta vulnerabilidad permite la direcci\u00f3n arbitraria de peticiones internas. Esto puede llevar a la exfiltraci\u00f3n de credenciales, el sondeo de redes internas y una violaci\u00f3n de la confidencialidad. Para ser vulnerable, la aplicaci\u00f3n v\u00edctima debe usar Angular SSR (Server-Side Rendering), la aplicaci\u00f3n debe realizar peticiones \u0027HttpClient\u0027 usando URL relativas O construir URL manualmente usando los encabezados \u0027Host\u0027 / \u0027X-Forwarded-*\u0027 no validados usando el objeto \u0027REQUEST\u0027, el servidor de aplicaciones debe ser accesible por un atacante que pueda influir en estos encabezados sin una validaci\u00f3n estricta de un proxy frontal, y la infraestructura (Nube, CDN o Balanceador de Carga) no debe sanitizar o validar los encabezados entrantes. Las versiones 21.2.0-rc.1, 21.1.5, 20.3.17 y 19.2.21 contienen un parche. Algunas soluciones alternativas est\u00e1n disponibles. Evite usar \u0027req.headers\u0027 para la construcci\u00f3n de URL. En su lugar, use variables de confianza para las rutas base de la API. Aquellos que no puedan actualizar inmediatamente deben implementar un middleware en su \u0027server.ts\u0027 para exigir puertos num\u00e9ricos y nombres de host validados."
    }
  ],
  "id": "CVE-2026-27739",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T18:23:40.800",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/pull/32516"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.