Google · Angular · CVE-2026-27739
**Name of the Vulnerable Software and Affected Versions**
Angular SSR versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21
**Description**
Angular SSR, a server-side rendering tool for Angular applications, contains a Server-Side Request Forgery (SSRF) issue in its request handling pipeline. The problem arises because the framework directly trusts and consumes user-controlled HTTP headers, specifically the `Host` and `X-Forwarded-*` family, to determine the application's base origin without proper validation. This lack of validation allows attackers to manipulate the base origin, leading to arbitrary internal request steering. This can result in credential exfiltration, internal network probing, and potential confidentiality breaches. The vulnerability manifests through implicit relative URL resolution and explicit manual URL construction. The application server must be reachable by an attacker who can influence these headers, and the infrastructure must not sanitize or validate incoming headers for exploitation to succeed.
**Recommendations**
Versions prior to 21.2.0-rc.1 should be upgraded to version 21.2.0-rc.1 or later.
Versions prior to 21.1.5 should be upgraded to version 21.1.5 or later.
Versions prior to 20.3.17 should be upgraded to version 20.3.17 or later.
Versions prior to 19.2.21 should be upgraded to version 19.2.21 or later.
Avoid using `req.headers` for URL construction and instead use trusted variables for base API paths.
Implement a middleware in `server.ts` to enforce numeric ports and validated hostnames if immediate upgrade is not possible.