Skip to main content

Angular platform-server EUVDEUVD-2026-38293

| CVE-2026-50168 HIGH
Origin Validation Error (CWE-346)
2026-06-15 https://github.com/angular/angular GHSA-xrxm-cp7j-8xf6
8.8
CVSS 4.0 · Vendor: https://github.com/angular/angular
Share

Severity by source

Vendor (https://github.com/angular/angular) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Remote unauthenticated SSRF via crafted Host header (AV:N/AC:L/PR:N/UI:N); scope changes as SSR fetches to attacker origin leak data from backend systems (S:C, C:H); response injection yields limited integrity impact (I:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/angular/angular).

CVSS VectorVendor: https://github.com/angular/angular

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 18:35 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:23 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 18:23 NVD
8.8 (HIGH)
Source Code Evidence Fetched
Jun 15, 2026 - 17:15 vuln.today
Analysis Generated
Jun 15, 2026 - 17:15 vuln.today

DescriptionCVE.org

An issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM.

When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack.

Impact

Any Angular application utilizing server-side rendering (@angular/platform-server) that configures host routing allowlists (allowedHosts) is vulnerable to this allowlist bypass.

By sending an HTTP request with a malformed Host header (e.g. Host: evil.com:80:80) or an absolute-form request URI, an attacker can bypass the allowlist logic completely (even when configured with a strict default deny setup). The SSR application will then route all relative HttpClient outgoing API queries-which commonly carry sensitive credentials, session cookies, and internal authorization tokens-to the attacker-controlled server instead of the intended backend services. Additionally, the attacker can supply custom payloads back to the emulated DOM, leading to response injection and content poisoning within the rendered HTML served to users.

Attack Preconditions

To successfully exploit this vulnerability, the following environment parameters and application states must all concurrently exist:

  1. Active Server-Side Rendering (SSR): The application must be configured to run with Angular Server-Side Rendering (@angular/platform-server).
  2. Host Header/URI Propagation: The SSR handler must reconstruct the request URL using raw client inputs (such as request Host headers or absolute-form URIs) and pass it as config.url to the rendering API (renderApplication or renderModule).
  3. Outbound Relative HTTP Requests: The server application must perform outbound backend API requests using relative paths (e.g., this.http.get('/api/data')) that undergo base-URL interceptor rewriting.
  4. Enabled Allowed Hosts Check: The server must use the framework-provided allowedHosts options to limit valid server locations.

Patches

  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

AnalysisAI

Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.

Technical ContextAI

The affected component is @angular/platform-server, the official Angular Server-Side Rendering (SSR) runtime that pre-renders Angular applications on Node.js using the Domino DOM emulation library. The root cause maps to CWE-346 (Origin Validation Error): the renderApplication/renderModule path validates the request URL with Node's URL.canParse(), which strictly rejects malformed inputs and short-circuits the host check - yet the same URL is subsequently fed to Domino, whose lenient parser silently accepts double-port constructs like 'http://evil.com:80:80' and resolves them to 'http://evil.com:80'. The relativeUrlsTransformerInterceptorFn then uses that attacker-controlled origin as the base for every relative HttpClient call made during rendering. The fix (PR #68928) introduces a unified parseUrl helper in packages/platform-server/src/url.ts that normalizes leading slashes, rejects malformed absolute URLs, and ensures the allowlist sees the same origin Domino will use.

RemediationAI

Vendor-released patches are available: upgrade @angular/platform-server to 19.2.23, 20.3.22, 22.0.0-rc.2, or later as appropriate for your major (see PR https://github.com/angular/angular/pull/68928 and advisory https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6). The 18.x line has no fixed release at this time, so 18.x users should plan a major-version upgrade or apply the upstream parseUrl change as a local patch. As compensating controls until patching, terminate and rewrite the Host header at the reverse proxy (e.g., 'proxy_set_header Host $host' with $host validated against a hardcoded server_name) so attacker-supplied double-port values never reach the Node process; alternatively, change SSR bootstrap to pass a fixed config.url rather than reconstructing it from request headers - the trade-off is losing per-request URL fidelity for things like canonical link generation. Avoid relying on allowedHosts alone as a security boundary while unpatched.

Share

EUVD-2026-38293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy