CVE-2026-41423
Server-Side Request Forgery in Angular Platform Server
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angular | platform-server | From 18.2.14 (inc) to 22.0.0-next.8 (exc) |
| angular | platform-server | 22.0.0-next.8 |
| angular | platform-server | 21.2.9 |
| angular | platform-server | 20.3.19 |
| angular | platform-server | 19.2.21 |
| angular | platform-server | to 22.0.0-next.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) issue in Angular's platform-server package during Server-Side Rendering (SSR). It occurs because the URL parser improperly handles certain URLs, such as protocol-relative URLs (e.g., //evil.com/) or backslash-prefixed URLs (e.g., \evil.com\). The parser normalizes backslashes to forward slashes, causing the application to mistakenly treat the attacker's domain as the local origin.
As a result, relative HTTP client requests or hostname references within the application are redirected to the attacker-controlled server. This misinterpretation can expose internal APIs or metadata services to the attacker.
The vulnerability affects versions of @angular/platform-server prior to 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8 and has been patched in these versions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to trick your server into treating their domain as a trusted local origin. Consequently, any relative HTTP requests or hostname references made by your application during server-side rendering could be redirected to the attacker-controlled server.
This redirection can lead to exposure of sensitive internal APIs or metadata services, potentially leaking confidential information.
The attack requires no privileges or user interaction and can be executed remotely over the network, making it a high-severity risk with a CVSS score of 8.7.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring incoming HTTP requests to your Angular platform-server that contain suspicious URL patterns such as protocol-relative URLs (e.g., //evil.com/) or backslash-prefixed URLs (e.g., \evil.com\). These requests may indicate attempts to exploit the SSRF vulnerability by tricking the server into treating an attacker-controlled domain as the local origin.
To detect such attempts, you can inspect your web server logs or use network monitoring tools to filter requests with URLs starting with double slashes (//) or backslashes (\). For example, using command-line tools on a Linux server:
- grep -E 'GET \/\/|GET \\' /var/log/nginx/access.log
- grep -E 'GET \/\/|GET \\' /var/log/apache2/access.log
These commands search for GET requests where the URL path starts with // or \ which are indicative of attempts to exploit the vulnerability.
Additionally, you can implement middleware or logging in your Angular server to log and alert on requests with such URL patterns before they reach the Angular rendering functions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this SSRF vulnerability in Angular platform-server, you should immediately upgrade your Angular platform-server package to one of the patched versions: 19.2.21, 20.3.19, 21.2.9, or 22.0.0-next.8.
If upgrading immediately is not possible, implement middleware in your server to sanitize incoming request URLs before they reach Angular's rendering functions. This middleware should ensure that URLs start with a single forward slash and remove any leading double slashes or backslashes to prevent the URL parser from misinterpreting the origin.
- Sanitize request URLs to start with a single forward slash.
- Remove or reject requests with protocol-relative URLs (//) or backslash-prefixed URLs (\).
These steps prevent the attacker from hijacking the internal state of the application and redirecting relative HttpClient requests or PlatformLocation.hostname references to attacker-controlled servers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Server-Side Request Forgery (SSRF) vulnerability in Angular's platform-server component can lead to exposure of internal APIs or metadata services by redirecting requests to attacker-controlled servers. This exposure of internal data could potentially result in unauthorized access to sensitive information.
Such unauthorized data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.
Therefore, if exploited, this vulnerability could lead to violations of data protection requirements under these regulations, emphasizing the importance of applying the available patches and implementing URL sanitization to mitigate the risk.