Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Angular Server‑Side Request Forgery occurs when a crafted URL containing a backslash or protocol‑relative address is parsed by the platform‑server during rendering. The URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, making the application believe the request originates from the attacker’s domain. This causes internal HttpClient calls and location references to resolve against the attacker‑controlled host, allowing external disclosure of internal APIs or metadata services. The vulnerability is rated CVSS 8.7, indicating high severity.

Affected Systems

Vendors and products impacted are Angular applications using the @angular/platform‑server package. Versions prior to 19.2.21, 20.3.19, 21.2.9, and 22.0.0‑next.8 are vulnerable.

Risk and Exploitability

The lack of an EPSS score and absence from the CISA KEV catalog suggest no widespread exploitation yet, but the high CVSS score indicates a serious potential. Attackers can embed malicious URLs in normal HTTP requests to the application; the server passes this to Angular’s rendering engine, leading to misinterpreted origin and redirected internal requests. Successful exploitation could expose sensitive internal endpoints and compromise integrity of the application’s data flow.

Generated by OpenCVE AI on May 8, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to at least version 19.2.21, 20.3.19, 21.2.9, or 22.0.0-next.8, or any later release that includes the fix.
  • If an immediate upgrade is not feasible, remove or disable @angular/platform-server from the build to prevent SSR processing of attacker‑controlled URLs.
  • Implement strict outbound request filtering on the server, rejecting traffic to internal networks or whitelisting only trusted external hosts.
  • Log and monitor outgoing HTTP requests originating from SSR to detect potential abuse.

Generated by OpenCVE AI on May 8, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45q2-gjvg-7973 Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.
Title Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Angular Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T14:22:05.978Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41423

cve-icon Vulnrichment

Updated: 2026-05-08T14:22:01.992Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:33.260

Modified: 2026-05-08T16:02:14.343

Link: CVE-2026-41423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:15:10Z

Weaknesses