CVE-2026-46417

Name of the Vulnerable Software and Affected Versions @angular/platform-server versions prior to 22.0.0-next.12 @angular/platform-server versions prior to 21.2.13 @angular/platform-server versions prior to 20.3.21 @angular/platform-server versions prior to 19.2.22

Description A Server-Side Request Forgery (SSRF) issue exists in the server-side rendering (SSR) engine due to the way request URLs provided to rendering entry points are processed. When an absolute-form URL is passed, the internal ServerPlatformLocation can be manipulated to adopt an attacker-controlled domain as the current hostname. This allows relative HttpClient requests or PlatformLocation.hostname references to be redirected to a malicious server, which may expose internal APIs or metadata services.

Recommendations Update to version 22.0.0-next.12. Update to version 21.2.13. Update to version 20.3.21. Update to version 19.2.22. Implement strict URL validation in the server entry point to ensure req.url is validated against trusted hostnames or normalized to a relative path before being passed to renderApplication() or renderModule() functions.