Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a malformed URL containing a double port specification (for example, http://evil.com:80:80/path) that is rejected by Node’s strict WHATWG URL parser but is accepted by Domino’s lenient parser used by the server‑side rendering component. Because the allowlist validation is skipped for such URLs, the application can initiate outbound HTTP requests to arbitrary external domains, enabling SSRF exploitation. The weakness is identified by CWE‑346 (Information Exposure through Suspicion of an Information, Access Control or Critical System Function) and CWE‑918 (Server‑Side Request Forgery).

Affected Systems

Angular library v22.0.0‑rc.2, v21.2.15, v20.3.22, and v19.2.23 and any earlier releases of @angular/platform‑server that have not been updated to these patches.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability with potential for significant impact. EPSS data is not available, so the quantified likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker delivering a crafted SSR request to a vulnerable application. If exploited, the attacker can expose internal resources, exfiltrate data, or pivot to further attacks within the network.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to at least version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 where the URL parser differential has been corrected.
  • If an upgrade cannot be applied immediately, add a pre‑processing validation step that rejects URLs failing strict WHATWG parsing before the SSR interceptor processes them.
  • Implement outbound request filtering on the server or in a reverse proxy to restrict which external hosts can be contacted, mitigating potential SSRF impact.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xrxm-cp7j-8xf6 @angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass
Weaknesses CWE-346
CWE-918
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:59:49.283Z

Reserved: 2026-06-03T20:54:20.433Z

Link: CVE-2026-50168

cve-icon Vulnrichment

Updated: 2026-06-22T17:59:45.465Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-918

    Server-Side Request Forgery (SSRF)