Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
Published: 2026-06-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22 allow a Server-Side Request Forgery through server‑side rendering. An attacker injects an absolute URL (e.g., http://evil.com) into the rendering entry point, causing the SSR engine to treat the attacker’s domain as the active hostname. Consequently, any relative HTTP client calls or hostname references are redirected to the attacker’s server, exposing internal services or sensitive metadata. The flaw is an instance of CWE‑918.

Affected Systems

Any application built with Angular 22.0.0-next.12 or earlier, 21.2.13 or earlier, 20.3.21 or earlier, or 19.2.22 or earlier, that employs server‑side rendering and accepts external URLs as rendering parameters is vulnerable. The issue resides specifically in the @angular/platform-server package.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not available, but the absence of a CISA KEV listing suggests no known public exploits yet. Nonetheless, the flaw can be leveraged remotely with minimal effort if an attacker can supply a rendering request, making it a high‑impact risk for exposed SSR endpoints.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to 22.0.0-next.12 or later, 21.2.13 or later, 20.3.21 or later, or 19.2.22 or later.
  • Validate or reject absolute-form URLs before they reach the SSR engine; enforce that only relative URLs or whitelisted domains are accepted.
  • Configure your HTTP client or server to reject outbound requests to untrusted hosts, and document that internal APIs should not be reachable through dynamically supplied hostnames.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfh7-fxqc-q52v @angular/platform-server: SSRF via Hostname Hijacking
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
Title Angular: SSRF via Hostname Hijacking in @angular/platform-server
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:48:53.298Z

Reserved: 2026-05-13T21:04:10.933Z

Link: CVE-2026-46417

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)