Angular: SSRF via Hostname Hijacking in @angular/platform-server_CVE-2026-46417

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

AI Analysis

Server-Side Request Forgery (SSRF) vulnerability in @angular/platform-server

Basic Information

ID CVE-2026-46417

Source GitHub_M

Published Jun 22, 2026 at 15:40

Modified Jun 22, 2026 at 15:48

Affected Product

Vendor angular

Product angular

Version >= 22.0.0-next.0, < 22.0.0-next.12

Affected Versions angular angular >= 22.0.0-next.0, < 22.0.0-next.12
angular angular >= 21.0.0-next.0, < 21.2.13
angular angular >= 20.0.0-next.0, < 20.3.21
angular angular >= 19.0.0-next.0, < 19.2.22
angular angular <= 18.2.14

CWE Classification

CWE-918

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Google

Product Angular

Version <= 22.0.0-next.11, <= 21.2.12, <= 20.3.20, <= 19.2.21

References

{
    "lastseen": "",
    "description": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.",
    "published": "2026-06-22T15:40:32.527Z",
    "modified": "2026-06-22T15:48:53.298Z",
    "type": "cve",
    "title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server",
    "source": "GitHub_M",
    "references": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v\nhttps://github.com/angular/angular/pull/68570",
    "id": "CVE-2026-46417",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "angular angular >= 22.0.0-next.0, < 22.0.0-next.12\nangular angular >= 21.0.0-next.0, < 21.2.13\nangular angular >= 20.0.0-next.0, < 20.3.21\nangular angular >= 19.0.0-next.0, < 19.2.22\nangular angular <= 18.2.14",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "angular",
    "version": ">= 22.0.0-next.0, < 22.0.0-next.12",
    "vendor": "angular",
    "ai_description": "Server-Side Request Forgery (SSRF) vulnerability in @angular/platform-server",
    "ai_severity": "High",
    "ai_vendor": "Google",
    "ai_product": "Angular",
    "ai_version": "<= 22.0.0-next.11, <= 21.2.12, <= 20.3.20, <= 19.2.21",
    "ai_score": 8.8
}