Server-side Request Forgery (SSRF) Affecting @angular/platform-server package, versions <19.2.22>=20.0.0-next.0 <20.3.21>=21.0.0-next.0 <21.2.13>=22.0.0-next.0 <22.0.0-next.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-ANGULARPLATFORMSERVER-16770437
- published20 May 2026
- disclosed19 May 2026
- creditVenkatesan
Introduced: 19 May 2026
NewCVE-2026-46417 (opens in a new tab)How to fix?
Upgrade @angular/platform-server to version 19.2.22, 20.3.21, 21.2.13, 22.0.0-next.12 or higher.
Overview
@angular/platform-server is an Angular - library for using Angular in Node.js
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the processing of absolute-form URLs in the server-side rendering engine. An attacker can redirect internal HTTP requests to an attacker-controlled server by supplying a crafted request URL, potentially exposing sensitive internal APIs or metadata services.
Workaround
This vulnerability can be mitigated by implementing strict URL validation in the server entry point to ensure that incoming request URLs are validated against a known list of trusted hostnames or normalized to a relative path before being passed to the rendering functions.