CVE-2026-41423

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.21 Angular versions prior to 20.3.19 Angular versions prior to 21.2.9 Angular versions prior to 22.0.0-next.8

Description A Server-Side Request Forgery (SSRF) issue exists in @angular/platform-server due to improper URL handling during Server-Side Rendering (SSR). When a request containing a backslash (e.g., GET /evil.com/) is processed, the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes. This causes the application to misinterpret the attacker's domain as the local origin. As a result, relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker-controlled server, which may expose internal APIs or metadata services. This affects the renderModule(), renderApplication(), and CommonEngine functions.

Recommendations Update to version 19.2.21. Update to version 20.3.19. Update to version 21.2.9. Update to version 22.0.0-next.8. Implement middleware to sanitize the request URL by stripping or normalizing leading slashes to ensure the URL starts with a single forward slash before it reaches Angular.