@angular/ssr 20.2.0-next.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @angular/ssr package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `createRequestUrl` function. An attacker can cause the server to make arbitrary HTTP requests to external domains by supplying a specially crafted request path that begins with double forward slashes or backslashes, which manipulates the URL resolution process and results in subsequent server-side HTTP requests being directed to attacker-controlled endpoints. How to fix Server-side Request Forgery (SSRF)? Upgrade `@angular/ssr` to version 19.2.18, 20.3.6, 21.0.0-next.8 or higher.	>=19.0.0-next.0 <19.2.18>=20.0.0-next.0 <20.3.6>=21.0.0-next.0 <21.0.0-next.8
H Race Condition @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the `bootstrapApplication`, `getPlatform`, or `destroyPlatform` functions. This allows data (including sensitive data) to be leaked between requests and included in rendered content or response headers for the wrong request. Note: The CLI is vulnerable even if an application is not explicitly using `getPlatform`, and exposes this vulnerability if exposed to remote connections. How to fix Race Condition? Upgrade `@angular/ssr` to version 18.2.21, 19.2.16, 20.3.0, 21.0.0-next.3 or higher.	<18.2.21>=19.0.0-next.0 <19.2.16>=20.0.0-next.0 <20.3.0>=21.0.0-next.0 <21.0.0-next.3

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the createRequestUrl function. An attacker can cause the server to make arbitrary HTTP requests to external domains by supplying a specially crafted request path that begins with double forward slashes or backslashes, which manipulates the URL resolution process and results in subsequent server-side HTTP requests being directed to attacker-controlled endpoints.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @angular/ssr to version 19.2.18, 20.3.6, 21.0.0-next.8 or higher.

>=19.0.0-next.0 <19.2.18>=20.0.0-next.0 <20.3.6>=21.0.0-next.0 <21.0.0-next.8

Race Condition

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the bootstrapApplication, getPlatform, or destroyPlatform functions. This allows data (including sensitive data) to be leaked between requests and included in rendered content or response headers for the wrong request.

Note: The CLI is vulnerable even if an application is not explicitly using getPlatform, and exposes this vulnerability if exposed to remote connections.

How to fix Race Condition?

Upgrade @angular/ssr to version 18.2.21, 19.2.16, 20.3.0, 21.0.0-next.3 or higher.

<18.2.21>=19.0.0-next.0 <19.2.16>=20.0.0-next.0 <20.3.0>=21.0.0-next.0 <21.0.0-next.3

@angular/ssr@20.2.0-next.1 vulnerabilities

Angular server side rendering utilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically