CVE-2026-50168
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-50168) has been identified in Angular's Platform Server, which allows attackers to bypass host allowlist restrictions during Server-Side Rendering (SSR) by exploiting a differential between two URL parsers, and can lead to unauthorized server-side requests to attacker-controlled or internal resources.
Per OWASP, in a Server-Side Request Forgery (SSRF) attack the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as cloud metadata, connect to internal services like HTTP-enabled databases, or perform requests towards internal services that are not intended to be exposed.
This issue affects multiple versions of Angular.
Details
Module Info
- Product: Angular
- Affected packages: @angular/platform-server
- Affected versions: <=18.2.14, >=19.0.0-next.0 <19.2.23, >=20.0.0-next.0 <20.3.22, >=21.0.0-next.0 <21.2.15, >=22.0.0-next.0 <22.0.0-rc.2
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/platform-server
- Package manager: npm
- Fixed in:
- Angular NES
- Angular 19.2.23, 20.3.22, 21.2.15, 22.0.0-rc.2 (OSS)
Vulnerability Info
This High-severity vulnerability is found in the @angular/platform-server package in multiple published versions of Angular.
The issue stems from a parser differential between two URL parsers used during Server-Side Rendering. Allowlist validation relies on Node's strict WHATWG URL parser, while the server's emulated DOM is initialized using Domino's more lenient parser. When a request carries a malformed URL containing a double port structure, the strict URL.canParse() check returns false and the host allowlist validation is skipped entirely. The same URL is then accepted by Domino, which resolves its origin to the attacker-controlled host.
Because the SSR HTTP request interceptor resolves relative backend requests against this adopted origin, an attacker can supply a malicious Host header or an absolute-form request URI to redirect all relative HttpClient calls to an attacker-controlled server. These calls commonly carry credentials, session cookies, and internal authorization tokens. The redirection succeeds even when a strict default-deny allowedHosts configuration is in place. The attacker can also return crafted payloads to the emulated DOM, leading to response injection and content poisoning within the rendered HTML.
Mitigation
Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a patched version of Angular.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- 0xEr3n (reporter)
