Описание
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.
Specifically, the framework didn't have checks for the following:
- Host Domain: The
HostandX-Forwarded-Hostheaders were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain. - Path & Character Sanitization: The
X-Forwarded-Hostheader was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs. - Port Validation: The
X-Forwarded-Portheader was not verified as numeric, leading to malformed URI construction or injection attacks.
This vulnerability manifests in two primary ways:
- Implicit Relative URL Resolution: Angular's
HttpClientresolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - Explicit Manual Construction: Developers injecting the
REQUESTobject to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing theHost/X-Forwarded-*headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.
Impact
When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:
- Credential Exfiltration: Stealing sensitive
Authorizationheaders or session cookies by redirecting them to an attacker's server. - Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g.,
169.254.169.254) not exposed to the public internet. - Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.
Attack Preconditions
- The victim application must use Angular SSR (Server-Side Rendering).
- The application must perform
HttpClientrequests using relative URLs OR manually construct URLs using the unvalidatedHost/X-Forwarded-*headers using theREQUESTobject. - Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
- Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.
Patches
- 21.2.0-rc.1
- 21.1.5
- 20.3.17
- 19.2.21
Workarounds
- Use Absolute URLs: Avoid using
req.headersfor URL construction. Instead, use trusted variables for your base API paths. - Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your
server.tsto enforce numeric ports and validated hostnames.
References
Ссылки
- https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx
- https://nvd.nist.gov/vuln/detail/CVE-2026-27739
- https://github.com/angular/angular-cli/pull/32516
- https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
- https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF
Пакеты
@angular/ssr
>= 21.2.0-next.0, < 21.2.0-rc.0
21.2.0-rc.1
@angular/ssr
>= 21.0.0-next.0, < 21.1.5
21.1.5
@angular/ssr
>= 20.0.0-next.0, < 20.3.17
20.3.17
@angular/ssr
< 19.2.21
19.2.21
@nguniversal/common
<= 16.2.0
Отсутствует
@nguniversal/express-engine
<= 16.2.0
Отсутствует
Связанные уязвимости
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application mu
The Angular SSR is a server-rise rendering tool for Angular applicatio ...