Vulnerability Directory | CVE-2026-41423 | Angular

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

‍

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-41423) has been identified in Angular's Platform Server, which allows attackers to manipulate URL handling during Server-Side Rendering (SSR) and can lead to unauthorized server-side requests to attacker-controlled or internal resources.

‍

Per OWASP: In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

‍

This issue affects multiple versions of Angular.

‍

Details

Module Info

Product: Angular
Affected packages: @angular/platform-server
Affected versions:
- <=18.2.14
- >=19.0.0-next.0 <19.2.21
- >=20.0.0-next.0 <20.3.19
- >=21.0.0-next.0 <21.2.9
- >=22.0.0-next.0 <22.0.0-next.8
GitHub repository: https://github.com/angular/angular
Published packages: https://www.npmjs.com/package/@angular/platform-server
Package manager: npm
Fixed in:
- OSS Angular v19.2.21, v20.3.19, v21.2.9 and v22.0.0-next.8

‍

Vulnerability Info

This High-severity vulnerability is found in the @angular/platform-server package in multiple published versions of Angular.

Normally, Angular SSR derives the application’s URL host by resolving the request URL’s pathname against a known base URL. This allows Angular to determine the current request context and correctly resolve relative paths for routing and server-side HTTP requests, such as those made with HttpClient or using PLatformLocation.hostname.

However, due to how this resolution interacts with JavaScript URL parsing semantics, Angular can incorrectly interpret certain crafted request paths. In JavaScript, a URL string starting with multiple slashes is treated as a protocol-relative URL, which replaces the host component of the base URL. When an attacker sends a request with a path beginning with multiple slashes (e.g., GET //evil.com/ HTTP/1.1), this causes Angular to resolve the URL with evil.com as the host instead of the legitimate application host. As a result, the application can be tricked into treating the attacker-controlled host as its own.

When this occurs, any subsequent relative HTTP requests made during SSR—such as those issued via HttpClient—or hostname-based logic using PlatformLocation.hostname may be redirected to the attacker-controlled server. This effectively allows the attacker to influence server-side network requests.

‍

When successfully exploited, this vulnerability can lead to:

Exposure of internal services: Accessing internal APIs or services that are not publicly reachable.
Sensitive data disclosure: Retrieving data from internal metadata endpoints (e.g., cloud provider metadata services).
Server-side request manipulation: Forcing the server to make unintended outbound requests to attacker-controlled or internal systems.

‍