AIKIDO-2026-10688

@angular/ssr is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)GHSA-69xr-m8h6-h664 Published May 4, 2026

High Risk

This Affects:

@angular/ssr

17.0.0 - 19.2.24

Fixed in 19.2.25

20.0.0 - 20.3.24

Fixed in 20.3.25

21.0.0 - 21.2.8

Fixed in 21.2.9

22.0.0-next.0 - 22.0.0-next.6

Fixed in 22.0.0-next.7

Are you affected? Scan for Free

TL;DR

The Angular SSR application engine incorporates reverse-proxy forwarding headers when building the effective request URL used during server rendering and related request handling. Earlier logic relied on patching and filtering those headers in a way that could still mis-handle certain decoded or normalized forms, so spoofed X-Forwarded-* values could skew the perceived host, scheme, port, or path that backs relative URL resolution and server-side HTTP behavior. The corrected implementation eagerly sanitizes forwarding headers under a secure default, applies stricter validation around allowed forwarded values when constructing URLs, exposes explicit opt-in via trustProxyHeaders (including configuration from environment variables), and supports deoptimizing to client-side rendering when forwarded metadata is not trustworthy.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@angular/ssr is vulnerable to Server-Side Request Forgery (SSRF) in versions 17.0.0 - 19.2.24, 20.0.0 - 20.3.24, 21.0.0 - 21.2.8 and 22.0.0-next.0 - 22.0.0-next.6.