Executive Summary

This vulnerability exists in the @angular/platform-server package and allows remote attackers to bypass host allowlist restrictions and perform Server-Side Request Forgery (SSRF) attacks.

The issue arises because of a difference in how two URL parsers handle malformed URLs with a double port structure (e.g., http://evil.com:80:80/path). The strict WHATWG URL parser used for validating allowed hosts rejects such URLs and skips host validation, while the lenient Domino URL parser used for server-side DOM emulation accepts and parses them.

As a result, the Angular SSR HTTP request interceptor resolves relative backend HTTP requests against an attacker-controlled origin, enabling SSRF attacks.

This vulnerability affects Angular versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23 and has been fixed in those versions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass host allowlist restrictions and perform SSRF attacks, which means they can make the server send requests to arbitrary external endpoints controlled by the attacker.

Exploitation can lead to exposure of sensitive data such as credentials or session tokens, potentially compromising confidentiality.

The CVSS score of 8.8 (High) indicates a serious security risk with high impact on confidentiality and some impact on integrity.

Attackers do not require any privileges or user interaction to exploit this vulnerability, and it can be performed remotely.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to your Angular server-side rendering (SSR) application for malformed URLs containing a double port structure, such as http://evil.com:80:80/path.

You can inspect incoming HTTP requests or logs for suspicious Host headers or absolute-form URIs that include multiple port delimiters, which may indicate attempts to bypass host allowlist validation.

For example, using command-line tools like grep or tcpdump to filter for such patterns in logs or network traffic might help identify exploitation attempts.

• grep -E 'http://[^:]+:[0-9]+:[0-9]+' /var/log/nginx/access.log
• tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'Host:.*:[0-9]+:[0-9]+'

These commands search for URLs or Host headers with double port numbers that could be used to exploit the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the @angular/platform-server package to one of the patched versions: 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.

These versions include fixes that normalize URL parsing and reject malformed absolute URLs that could bypass SSRF protections and host allowlist validation.

Until you can upgrade, consider implementing additional input validation or filtering on incoming requests to block URLs or Host headers containing malformed double port structures.

Also, review your server-side rendering configuration to ensure strict host allowlist enforcement and monitor logs for suspicious requests.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist restrictions and perform SSRF attacks, potentially exposing sensitive data such as credentials or session tokens.

Exposure of sensitive data through SSRF attacks can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health information against unauthorized access.

Therefore, applications affected by this vulnerability may face compliance risks if exploited, as unauthorized data disclosure or access could breach regulatory requirements for confidentiality and data security.

Useful 0 Not Useful 0