Server-side Request Forgery (SSRF) Affecting @angular/platform-server package, versions <19.2.21>=20.0.0-next.0 <20.3.19>=21.0.0-next.0 <21.2.9>=22.0.0-next.0 <22.0.0-next.8
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-ANGULARPLATFORMSERVER-16097942
- published17 Apr 2026
- disclosed16 Apr 2026
- creditYLChen-007
Introduced: 16 Apr 2026
New CVE NOT AVAILABLE CWE-918 (opens in a new tab)How to fix?
Upgrade @angular/platform-server to version 19.2.21, 20.3.19, 21.2.9, 22.0.0-next.8 or higher.
Overview
@angular/platform-server is an Angular - library for using Angular in Node.js
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the URL parsing during Server-Side Rendering (SSR). An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled domains by sending specially crafted requests with protocol-relative or backslash-prefixed URLs. This can result in exposure of internal APIs or metadata services if the server performs HTTP requests using relative URLs or constructs URLs based on the manipulated origin.
Note:
Affected APIs (used with Angular SSR):
renderModulerenderApplicationCommonEngine
Workaround
This vulnerability can be mitigated by implementing middleware to sanitize incoming request URLs, ensuring they start with a single forward slash and removing any leading backslashes or multiple slashes.