Homepage

Server-side Request Forgery (SSRF) Affecting @angular/ssr package, versions <19.2.21>=20.0.0-next.0 <20.3.17>=21.0.0-next.0 <21.1.5>=21.2.0-next.0 <21.2.0-rc.0

Severity

 Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-ANGULARSSR-15357314
  • published26 Feb 2026
  • disclosed25 Feb 2026
  • creditYenya030
Report a new vulnerability Found a mistake?

Introduced: 25 Feb 2026

NewCVE-2026-27739  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade @angular/ssr to version 19.2.21, 20.3.17, 21.1.5, 21.2.0-rc.0 or higher.

Overview

@angular/ssr is a the Angular server side rendering utilities.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the request handling pipeline due to improper validation of user-controlled HTTP headers such as Host and X-Forwarded-*. An attacker can redirect internal server requests to arbitrary external or internal destinations, potentially exfiltrating sensitive data or probing internal networks by manipulating these headers to influence URL resolution and request routing.

Note:

This is only exploitable if the application uses server-side rendering, performs HTTP requests using relative URLs or constructs URLs from unvalidated headers, and the infrastructure does not sanitize or validate incoming headers.

Workaround

This vulnerability can be mitigated by using absolute URLs for API requests and implementing strict header validation middleware to enforce trusted hostnames and numeric ports.

CVSS Base Scores

version 4.0
version 3.1