@angular/ssr 0.0.0-PLACEHOLDER

Direct Vulnerabilities

Known vulnerabilities in the @angular/ssr package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Server-side Request Forgery (SSRF) @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper validation of user-controlled HTTP headers such as `Host` and `X-Forwarded-`. An attacker can redirect internal server requests to arbitrary external or internal destinations, potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to influence URL resolution and request routing. Note:* This is only exploitable if the application uses server-side rendering, performs HTTP requests using relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or validate incoming headers. How to fix Server-side Request Forgery (SSRF)? Upgrade `@angular/ssr` to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.	<19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0
H Race Condition @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the `bootstrapApplication`, `getPlatform`, or `destroyPlatform` functions. This allows data (including sensitive data) to be leaked between requests and included in rendered content or response headers for the wrong request. Note: The CLI is vulnerable even if an application is not explicitly using `getPlatform`, and exposes this vulnerability if exposed to remote connections. How to fix Race Condition? Upgrade `@angular/ssr` to version 18.2.21, 19.2.16, 20.3.0, 21.0.0-next.3 or higher.	<18.2.21>=19.0.0-next.0 <19.2.16>=20.0.0-next.0 <20.3.0>=21.0.0-next.0 <21.0.0-next.3

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper validation of user-controlled HTTP headers such as Host and X-Forwarded-*. An attacker can redirect internal server requests to arbitrary external or internal destinations, potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to influence URL resolution and request routing.

Note:

This is only exploitable if the application uses server-side rendering, performs HTTP requests using relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or validate incoming headers.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @angular/ssr to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.

<19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0

Race Condition

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the bootstrapApplication, getPlatform, or destroyPlatform functions. This allows data (including sensitive data) to be leaked between requests and included in rendered content or response headers for the wrong request.

Note: The CLI is vulnerable even if an application is not explicitly using getPlatform, and exposes this vulnerability if exposed to remote connections.

How to fix Race Condition?

Upgrade @angular/ssr to version 18.2.21, 19.2.16, 20.3.0, 21.0.0-next.3 or higher.

<18.2.21>=19.0.0-next.0 <19.2.16>=20.0.0-next.0 <20.3.0>=21.0.0-next.0 <21.0.0-next.3

@angular/ssr@0.0.0-PLACEHOLDER

Angular server side rendering utilities

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically