Description
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
Published: 2026-02-25
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) and Header Injection
Action: Immediate Patch
AI Analysis

Impact

The Angular Server‑Side Rendering (SSR) request handling pipeline unsafely trusts the HTTP Host header and all X‑Forwarded‑* headers when reconstructing internal URLs. Because no validation is performed on the destination domain, path, or port, an attacker who can influence these headers can redirect internal requests to arbitrary internal resources. This flaw, classified as CWE‑918, allows credential exfiltration, internal network scanning, and accidental disclosure of sensitive information, effectively creating a confidentiality breach. The vulnerability exists only when Angular SSR is in use and the application performs HttpClient requests using relative URLs or manually constructs URLs from the unvalidated request headers.

Affected Systems

Applications built with Angular Server‑Side Rendering that depend on the packages @nguniversal/common, @nguniversal/express‑engine, or angular‑cli are affected. Versions prior to 21.2.0‑rc.1, 21.1.5, 20.3.17, and 19.2.21 are insecure. The flaw surfaces when the application runs on a server reachable by an attacker who can inject custom Host or X‑Forwarded‑* headers and when associated front‑end infrastructure (CDN, load balancer, or proxy) does not sanitize these headers.

Risk and Exploitability

The CVSS score of 9.2 marks this issue as high‑severity, and an EPSS score below 1% indicates that, at present, active exploitation attempts are rare. The flaw is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. The likely attack vector is an attacker sending HTTP requests with crafted Host or X-Forwarded headers to the SSR application through a web server or proxy that fails to strip or normalize these headers. An attacker would need network access that allows header manipulation, making some configurations less vulnerable if strict header validation is enforced upstream. If exploited, the attacker gains the ability to target internal services, steal credentials, or gather network topology information. Maintaining the unvalidated headers in the request pipeline is the critical weakness that facilitates this attack.

Generated by OpenCVE AI on April 16, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @nguniversal/common, @nguniversal/express‑engine, and angular‑cli to the patched versions (21.2.0‑rc.1, 21.1.5, 20.3.17, or 19.2.21).
  • If an upgrade is not immediately possible, add middleware to the server.ts file that enforces numeric ports and validates hostnames in all incoming Host and X‑Forwarded‑* headers, rejecting any that do not match trusted patterns.
  • Avoid constructing URLs from req.headers.Host or any X‑Forwarded‑* values; instead use hard‑coded trusted base URLs or environment variables.

Generated by OpenCVE AI on April 16, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x288-3778-4hhx Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
History

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular @nguniversal/common
Angular @nguniversal/express-engine
Angular angular
Vendors & Products Angular
Angular @nguniversal/common
Angular @nguniversal/express-engine
Angular angular

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
Title Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Angular @nguniversal/common @nguniversal/express-engine Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:59:11.328Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27739

cve-icon Vulnrichment

Updated: 2026-02-27T17:59:08.064Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T18:23:40.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses