@angular/ssr 21.1.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @angular/ssr package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Open Redirect @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Open Redirect via the internal URL processing logic when handling the `X-Forwarded-Prefix` header. An attacker can cause users to be redirected to arbitrary external domains by supplying a specially crafted header value containing multiple leading slashes, which is insufficiently sanitized before being used in the `Location` header. This can facilitate large-scale phishing and SEO hijacking attacks. Note: This is only exploitable if the application uses Angular SSR, has routes that perform internal redirects, the infrastructure passes the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache does not vary on the `X-Forwarded-Prefix` header. How to fix Open Redirect? Upgrade `@angular/ssr` to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.	>=19.0.0-next.0 <19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0
C Server-side Request Forgery (SSRF) @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper validation of user-controlled HTTP headers such as `Host` and `X-Forwarded-`. An attacker can redirect internal server requests to arbitrary external or internal destinations, potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to influence URL resolution and request routing. Note:* This is only exploitable if the application uses server-side rendering, performs HTTP requests using relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or validate incoming headers. How to fix Server-side Request Forgery (SSRF)? Upgrade `@angular/ssr` to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.	<19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0

Vulnerability

Vulnerable Version

Open Redirect

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Open Redirect via the internal URL processing logic when handling the X-Forwarded-Prefix header. An attacker can cause users to be redirected to arbitrary external domains by supplying a specially crafted header value containing multiple leading slashes, which is insufficiently sanitized before being used in the Location header. This can facilitate large-scale phishing and SEO hijacking attacks.

Note:

This is only exploitable if the application uses Angular SSR, has routes that perform internal redirects, the infrastructure passes the X-Forwarded-Prefix header to the SSR process without sanitization, and the cache does not vary on the X-Forwarded-Prefix header.

How to fix Open Redirect?

Upgrade @angular/ssr to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.

>=19.0.0-next.0 <19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0

Server-side Request Forgery (SSRF)

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper validation of user-controlled HTTP headers such as Host and X-Forwarded-*. An attacker can redirect internal server requests to arbitrary external or internal destinations, potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to influence URL resolution and request routing.

Note:

This is only exploitable if the application uses server-side rendering, performs HTTP requests using relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or validate incoming headers.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @angular/ssr to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.

<19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0

@angular/ssr@21.1.4 vulnerabilities

Angular server side rendering utilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically