Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
Published: 2026-06-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22 allow a Server-Side Request Forgery through server‑side rendering. An attacker injects an absolute URL (e.g., http://evil.com) into the rendering entry point, causing the SSR engine to treat the attacker’s domain as the active hostname. Consequently, any relative HTTP client calls or hostname references are redirected to the attacker’s server, exposing internal services or sensitive metadata. The flaw is an instance of CWE‑918.

Affected Systems

Any application built with Angular 22.0.0-next.12 or earlier, 21.2.13 or earlier, 20.3.21 or earlier, or 19.2.22 or earlier, that employs server‑side rendering and accepts external URLs as rendering parameters is vulnerable. The issue resides specifically in the @angular/platform-server package.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not available, but the absence of a CISA KEV listing suggests no known public exploits yet. Nonetheless, the flaw can be leveraged remotely with minimal effort if an attacker can supply a rendering request, making it a high‑impact risk for exposed SSR endpoints.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to 22.0.0-next.12 or later, 21.2.13 or later, 20.3.21 or later, or 19.2.22 or later.
  • Validate or reject absolute-form URLs before they reach the SSR engine; enforce that only relative URLs or whitelisted domains are accepted.
  • Configure your HTTP client or server to reject outbound requests to untrusted hosts, and document that internal APIs should not be reachable through dynamically supplied hostnames.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfh7-fxqc-q52v @angular/platform-server: SSRF via Hostname Hijacking
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
Title Angular: SSRF via Hostname Hijacking in @angular/platform-server
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T03:15:36.788Z

Reserved: 2026-05-13T21:04:10.933Z

Link: CVE-2026-46417

cve-icon Vulnrichment

Updated: 2026-06-30T03:15:36.788Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-22T15:40:32Z

Links: CVE-2026-46417 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:00:06Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)