Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in the @angular/platform-server package used for server-side rendering (SSR) in Angular applications. It occurs when the SSR engine processes an absolute-form URL (such as http://evil.com) passed to rendering entry points. An attacker can manipulate the internal ServerPlatformLocation to adopt the attacker's domain as the current hostname. This causes any relative HttpClient requests or hostname references to be redirected to the attacker-controlled server.

As a result, internal APIs or metadata services that should be protected may be exposed to the attacker. The vulnerability affects versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22 and is classified under CWE-918 (Server-Side Request Forgery).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a high impact on the confidentiality of your system. An attacker can redirect internal requests to their own server, potentially gaining access to sensitive internal APIs or metadata services that are not intended to be exposed externally.

The attack requires no privileges or user interaction and can be executed remotely over the network. While the primary impact is on confidentiality, integrity and availability are not significantly affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the server-side rendering (SSR) engine in Angular processing absolute-form URLs that can manipulate the internal ServerPlatformLocation hostname. Detection involves checking if your Angular platform-server versions are vulnerable and if your server-side rendering code accepts unvalidated absolute URLs.

To detect exploitation attempts on your system or network, monitor server logs for requests containing absolute URLs passed to SSR rendering entry points, especially those with suspicious or external hostnames.

There are no specific commands provided in the resources to detect this vulnerability directly. However, you can:

• Check the version of @angular/platform-server in your project to see if it is within the vulnerable range (versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22).
• Review server logs for SSR requests that include absolute URLs, especially those pointing to external or attacker-controlled domains.
• Implement logging or monitoring on the server-side rendering entry points to detect if absolute-form URLs are being passed without validation.

Since no explicit detection commands are provided, it is recommended to audit your SSR code and logs manually or with custom scripts to identify suspicious URL usage.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this SSRF vulnerability in @angular/platform-server, you should upgrade to a patched version of Angular where the issue is fixed. The fixed versions are 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

If immediate upgrading is not possible, implement strict URL validation in your server-side rendering entry points. Ensure that any absolute-form URLs passed to the rendering functions are validated against a trusted allowlist of hostnames before processing.

Use the new `allowedHosts` option introduced in the `PlatformConfig` to validate incoming request hostnames. This option enforces hostname validation during platform initialization and prevents unauthorized hostnames from being used in SSR.

• Upgrade @angular/platform-server to one of the patched versions: 22.0.0-next.12, 21.2.13, 20.3.21, or 19.2.22.
• Implement strict hostname allowlist validation in your SSR entry points to reject untrusted absolute URLs.
• Use the `allowedHosts` configuration option in `PlatformConfig` to enforce hostname validation.

Useful 0 Not Useful 0

Compliance Impact

This Server-Side Request Forgery (SSRF) vulnerability in Angular's @angular/platform-server can lead to exposure of internal APIs or metadata services by redirecting requests to attacker-controlled servers. Such exposure of internal data could potentially result in unauthorized access to sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the confidentiality impact of this vulnerability is high, which implies a risk of data breaches or unauthorized data disclosure. This could affect compliance with regulations that require protection of personal or sensitive data.

Mitigating this vulnerability by applying patches or implementing strict URL validation is important to maintain compliance with data protection standards that mandate safeguarding against unauthorized access and data leaks.

Useful 0 Not Useful 0