Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the URL parsing during Server-Side Rendering (SSR). An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled domains by sending specially crafted requests with protocol-relative or backslash-prefixed URLs. This can result in exposure of internal APIs or metadata services if the server performs HTTP requests using relative URLs or constructs URLs based on the manipulated origin. Note: Affected APIs (used with Angular SSR): `renderModule` `renderApplication` `CommonEngine` How to fix Server-side Request Forgery (SSRF)? Upgrade `@angular/platform-server` to version 19.2.21, 20.3.19, 21.2.9, 22.0.0-next.8 or higher.	<19.2.21>=20.0.0-next.0 <20.3.19>=21.0.0-next.0 <21.2.9>=22.0.0-next.0 <22.0.0-next.8

Server-side Request Forgery (SSRF)

@angular/platform-server is an Angular - library for using Angular in Node.js

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the URL parsing during Server-Side Rendering (SSR). An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled domains by sending specially crafted requests with protocol-relative or backslash-prefixed URLs. This can result in exposure of internal APIs or metadata services if the server performs HTTP requests using relative URLs or constructs URLs based on the manipulated origin.

Note:

Affected APIs (used with Angular SSR):

renderModule
renderApplication
CommonEngine

How to fix Server-side Request Forgery (SSRF)?

Upgrade @angular/platform-server to version 19.2.21, 20.3.19, 21.2.9, 22.0.0-next.8 or higher.

<19.2.21>=20.0.0-next.0 <20.3.19>=21.0.0-next.0 <21.2.9>=22.0.0-next.0 <22.0.0-next.8

Go back to all versions of this package