CVE-2026-50168
Analyzed Analyzed - Analysis Complete

Angular SSR Server-Side Request Forgery via URL Parser Differential

Vulnerability report for CVE-2026-50168, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.23 (exc)
angular angular From 2.0.0 (inc) to 18.2.14 (inc)
angular angular From 20.0.0 (inc) to 20.3.22 (exc)
angular angular From 21.0.0 (inc) to 21.2.15 (exc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the @angular/platform-server package and allows remote attackers to bypass host allowlist restrictions and perform Server-Side Request Forgery (SSRF) attacks.

The issue arises because of a difference in how two URL parsers handle malformed URLs with a double port structure (e.g., http://evil.com:80:80/path). The strict WHATWG URL parser used for validating allowed hosts rejects such URLs and skips host validation, while the lenient Domino URL parser used for server-side DOM emulation accepts and parses them.

As a result, the Angular SSR HTTP request interceptor resolves relative backend HTTP requests against an attacker-controlled origin, enabling SSRF attacks.

This vulnerability affects Angular versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23 and has been fixed in those versions.

Compliance Impact

The vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist restrictions and perform SSRF attacks, potentially exposing sensitive data such as credentials or session tokens.

Exposure of sensitive data through SSRF attacks can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health information against unauthorized access.

Therefore, applications affected by this vulnerability may face compliance risks if exploited, as unauthorized data disclosure or access could breach regulatory requirements for confidentiality and data security.

Impact Analysis

This vulnerability can allow attackers to bypass host allowlist restrictions and perform SSRF attacks, which means they can make the server send requests to arbitrary external endpoints controlled by the attacker.

Exploitation can lead to exposure of sensitive data such as credentials or session tokens, potentially compromising confidentiality.

The CVSS score of 8.8 (High) indicates a serious security risk with high impact on confidentiality and some impact on integrity.

Attackers do not require any privileges or user interaction to exploit this vulnerability, and it can be performed remotely.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to your Angular server-side rendering (SSR) application for malformed URLs containing a double port structure, such as http://evil.com:80:80/path.

You can inspect incoming HTTP requests or logs for suspicious Host headers or absolute-form URIs that include multiple port delimiters, which may indicate attempts to bypass host allowlist validation.

For example, using command-line tools like grep or tcpdump to filter for such patterns in logs or network traffic might help identify exploitation attempts.

  • grep -E 'http://[^:]+:[0-9]+:[0-9]+' /var/log/nginx/access.log
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'Host:.*:[0-9]+:[0-9]+'

These commands search for URLs or Host headers with double port numbers that could be used to exploit the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade the @angular/platform-server package to one of the patched versions: 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.

These versions include fixes that normalize URL parsing and reject malformed absolute URLs that could bypass SSRF protections and host allowlist validation.

Until you can upgrade, consider implementing additional input validation or filtering on incoming requests to block URLs or Host headers containing malformed double port structures.

Also, review your server-side rendering configuration to ensure strict host allowlist enforcement and monitor logs for suspicious requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50168. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart