@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22. This Important Server-Side Request Forgery (SSRF) vulnerability in `@angular/platform-server` within Red Hat JBoss Fuse allows an attacker to redirect internal `HttpClient` requests or `PlatformLocation.hostname` references to an arbitrary external server. This occurs when an absolute-form URL is provided to the server-side rendering engine, potentially exposing internal APIs or metadata services. Red Hat Enterprise Linux is not affected as the vulnerable code is not in its execution path. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Fuse 7.
Mitigation checklist
- To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains.
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.