Security Advisory
Dependabot Alert: #24
Severity: Critical
CVE: CVE-2026-27739
GHSA: GHSA-x288-3778-4hhx
Affected Dependency
| Field |
Value |
| Package |
@angular/ssr |
| Manifest |
pnpm-lock.yaml |
| Vulnerable range |
>= 21.0.0-next.0, < 21.1.5 |
| First patched version |
21.1.5 |
Description
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. Angular's internal URL reconstruction logic directly trusts user-controlled HTTP headers (Host, X-Forwarded-*) to determine the application's base origin without any validation.
Impact
- Credential Exfiltration: Stealing
Authorization headers or session cookies by redirecting them to an attacker's server.
- Internal Network Probing: Accessing internal services, databases, or cloud metadata endpoints (e.g.,
169.254.169.254).
- Confidentiality Breach: Accessing sensitive information processed within the server-side context.
Attack Preconditions
- Application uses Angular SSR
- Application performs
HttpClient requests using relative URLs or manually constructs URLs using Host / X-Forwarded-* headers
- Application server is reachable by an attacker who can influence these headers
- Infrastructure does not sanitize or validate incoming headers
Remediation
Upgrade @angular/ssr to version 21.1.5 or later.
Patched Versions
21.2.0-rc.1
21.1.5
20.3.17
19.2.21
References
Security Advisory
Dependabot Alert: #24
Severity: Critical
CVE: CVE-2026-27739
GHSA: GHSA-x288-3778-4hhx
Affected Dependency
@angular/ssrpnpm-lock.yaml>= 21.0.0-next.0, < 21.1.521.1.5Description
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. Angular's internal URL reconstruction logic directly trusts user-controlled HTTP headers (
Host,X-Forwarded-*) to determine the application's base origin without any validation.Impact
Authorizationheaders or session cookies by redirecting them to an attacker's server.169.254.169.254).Attack Preconditions
HttpClientrequests using relative URLs or manually constructs URLs usingHost/X-Forwarded-*headersRemediation
Upgrade
@angular/ssrto version 21.1.5 or later.Patched Versions
21.2.0-rc.121.1.520.3.1719.2.21References