Vulnerability-Lookup

CVE-2026-46417 (GCVE-0-2026-46417)

Vulnerability from cvelistv5 – Published: 2026-06-22 15:40 – Updated: 2026-06-30 03:15

Title

Angular: SSRF via Hostname Hijacking in @angular/platform-server

Summary

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

Severity

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/angular/angular/security/advis…	x_refsource_CONFIRM
https://github.com/angular/angular/pull/68570	x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2026-46417	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2491444	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex

Impacted products

3 products

Vendor	Product	Version
angular	angular	Affected: >= 22.0.0-next.0, < 22.0.0-next.12 Affected: >= 21.0.0-next.0, < 21.2.13 Affected: >= 20.0.0-next.0, < 20.3.21 Affected: >= 19.0.0-next.0, < 19.2.22 Affected: <= 18.2.14
Red Hat	Red Hat Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46417",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T14:16:15.745160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T14:18:28.135Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-22T15:40:32.527Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T03:15:36.788Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-46417"
          },
          {
            "name": "RHBZ#2491444",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-22T18:01:21.611Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-22T15:40:32.527Z",
            "value": "Made public."
          }
        ],
        "title": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "angular",
          "vendor": "angular",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0-next.0, \u003c 21.2.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0-next.0, \u003c 20.3.21"
            },
            {
              "status": "affected",
              "version": "\u003e= 19.0.0-next.0, \u003c 19.2.22"
            },
            {
              "status": "affected",
              "version": "\u003c= 18.2.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T15:48:53.298Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"
        },
        {
          "name": "https://github.com/angular/angular/pull/68570",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/angular/angular/pull/68570"
        }
      ],
      "source": {
        "advisory": "GHSA-rfh7-fxqc-q52v",
        "discovery": "UNKNOWN"
      },
      "title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46417",
    "datePublished": "2026-06-22T15:40:32.527Z",
    "dateReserved": "2026-05-13T21:04:10.933Z",
    "dateUpdated": "2026-06-30T03:15:36.788Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46417",
      "date": "2026-06-29",
      "epss": "0.00165",
      "percentile": "0.06036"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46417\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-22T18:16:38.470\",\"lastModified\":\"2026-06-30T03:20:21.733\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \\\"current\\\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"angular\",\"product\":\"angular\",\"versions\":[{\"version\":\"\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12\",\"status\":\"affected\"},{\"version\":\"\u003e= 21.0.0-next.0, \u003c 21.2.13\",\"status\":\"affected\"},{\"version\":\"\u003e= 20.0.0-next.0, \u003c 20.3.21\",\"status\":\"affected\"},{\"version\":\"\u003e= 19.0.0-next.0, \u003c 19.2.22\",\"status\":\"affected\"},{\"version\":\"\u003c= 18.2.14\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Fuse 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_fuse:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-23T14:16:15.745160Z\",\"id\":\"CVE-2026-46417\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"18.2.14\",\"matchCriteriaId\":\"A70036B6-0384-40CC-9402-261200050260\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"19.2.22\",\"matchCriteriaId\":\"5892FCD3-4B02-4790-B16D-F5B5E64B9592\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.3.21\",\"matchCriteriaId\":\"7AC94940-4E09-4F33-9098-D34F5A6CC04C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"21.0.0\",\"versionEndExcluding\":\"21.2.13\",\"matchCriteriaId\":\"4D1C193D-C031-43D8-89F8-35C923326798\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CAB422E-FCB2-4AD0-8C6F-90F8DDCF046B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3F939B4-3291-4AC7-B8A0-437981B44A15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*\",\"matchCriteriaId\":\"5EF3D989-611A-4794-BF55-18E32CD6A37C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D66CF2E-7578-41ED-8714-4BB4124E1BBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*\",\"matchCriteriaId\":\"45E0B5CB-3D0D-4E94-B5B5-DA44868AFC56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE5BE0D4-C971-4BDE-9208-A804D4D0F499\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E2939BC-2B96-421F-9A92-213FC8E69958\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6334AFE-E843-4DD0-8118-B843BB54D62F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B7E0ECF-91DD-4F4A-B1A4-66A3380E0D52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AA37933-9C41-4B5D-BB35-FC8BAD3FBB1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD03563D-4DAC-4C3A-A89B-277C2109BC3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*\",\"matchCriteriaId\":\"C42CDCDD-BCAF-4F2F-8A0D-703431BDA3AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*\",\"matchCriteriaId\":\"07E4BC13-3946-4756-A10F-8DBDC812553C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2AA884A-730A-45C6-83FE-104E9FD358EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6EA55F1C-F490-4E2F-9E93-5FF1C31FC78F\"}]}]}],\"references\":[{\"url\":\"https://github.com/angular/angular/pull/68570\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-46417\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2491444\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:jboss_fuse:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Fuse 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-06-22T18:01:21.611Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-06-22T15:40:32.527Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-06-22T15:40:32.527Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-46417\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2491444\", \"name\": \"RHBZ#2491444\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \\\"current\\\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.\"}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T03:15:36.788Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46417\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T14:16:15.745160Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T14:16:20.310Z\"}}], \"cna\": {\"title\": \"Angular: SSRF via Hostname Hijacking in @angular/platform-server\", \"source\": {\"advisory\": \"GHSA-rfh7-fxqc-q52v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"angular\", \"product\": \"angular\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0-next.0, \u003c 21.2.13\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0-next.0, \u003c 20.3.21\"}, {\"status\": \"affected\", \"version\": \"\u003e= 19.0.0-next.0, \u003c 19.2.22\"}, {\"status\": \"affected\", \"version\": \"\u003c= 18.2.14\"}]}], \"references\": [{\"url\": \"https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v\", \"name\": \"https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/angular/angular/pull/68570\", \"name\": \"https://github.com/angular/angular/pull/68570\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \\\"current\\\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-22T15:48:53.298Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-46417\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T03:15:36.788Z\", \"dateReserved\": \"2026-05-13T21:04:10.933Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-22T15:40:32.527Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-RFH7-FXQC-Q52V

Vulnerability from github – Published: 2026-05-19 20:29 – Updated: 2026-05-19 20:29

Summary

@angular/platform-server: SSRF via Hostname Hijacking

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points.

When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname.

Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services.

Fix Information

The vulnerability is mitigated by introducing an Allowlist Mechanism directly into the core rendering APIs. The renderModule and renderApplication functions now include an allowedHosts configuration option. The rendering engine validates the hostname extracted from the request URL against this list before proceeding. If the hostname does not match an allowed entry, the engine prevents the hostname hijacking, ensuring that HttpClient requests remain restricted to trusted domains.

Patches

22.0.0-next.12
21.2.13
20.3.21
19.2.22

Workarounds

Developers unable to update immediately should implement strict URL validation in their server entry point (e.g., server.ts). Ensure that req.url is validated against a known list of trusted hostnames or normalized to a relative path before being passed torenderApplication or renderModule.

// Example manual normalization in Express
app.get('*', (req, res, next) => {
  const trustedHost = 'localhost:4000';
  // Ensure the request target matches expectations
  if (req.headers.host !== trustedHost) {
     return res.status(403).send('Forbidden');
  }
  next();
});

Severity

8.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/platform-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "18.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T20:29:49Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points.\n\nWhen an absolute-form URL (e.g., `http://evil.com`) is passed to the rendering engine, the internal `ServerPlatformLocation` can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname.\n\nConsequently, any relative `HttpClient` requests or `PlatformLocation.hostname` references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services.\n\n### Fix Information\nThe vulnerability is mitigated by introducing an Allowlist Mechanism directly into the core rendering APIs.\nThe renderModule and renderApplication functions now include an allowedHosts configuration option. The rendering engine validates the hostname extracted from the request URL against this list before proceeding. If the hostname does not match an allowed entry, the engine prevents the hostname hijacking, ensuring that HttpClient requests remain restricted to trusted domains.\n\n\n### Patches\n- 22.0.0-next.12\n- 21.2.13\n- 20.3.21\n- 19.2.22\n\n\n### Workarounds\nDevelopers unable to update immediately should implement strict URL validation in their server entry point (e.g., `server.ts`). Ensure that `req.url` is validated against a known list of trusted hostnames or normalized to a relative path before being passed to`renderApplication` or `renderModule`.\n\n```TypeScript\n// Example manual normalization in Express\napp.get(\u0027*\u0027, (req, res, next) =\u003e {\n  const trustedHost = \u0027localhost:4000\u0027;\n  // Ensure the request target matches expectations\n  if (req.headers.host !== trustedHost) {\n     return res.status(403).send(\u0027Forbidden\u0027);\n  }\n  next();\n});\n```",
  "id": "GHSA-rfh7-fxqc-q52v",
  "modified": "2026-05-19T20:29:49Z",
  "published": "2026-05-19T20:29:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/pull/68570"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@angular/platform-server: SSRF via Hostname Hijacking"
}

WID-SEC-W-2026-1591

Vulnerability from csaf_certbund - Published: 2026-05-19 22:00 - Updated: 2026-05-19 22:00

Summary

Angular: Schwachstelle ermöglicht Offenlegung von Informationen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Angular ist ein TypeScript-basiertes Front-End-Webapplikationsframework. Es ist eine Weiterentwicklung des JavaScript basierten AngularJS.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Angular ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2026-46417

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
Open Source Angular <19.2.22 Open Source / Angular		<19.2.22
Open Source Angular <20.3.21 Open Source / Angular		<20.3.21
Open Source Angular <21.2.13 Open Source / Angular		<21.2.13
Open Source Angular <22.0.0-next.12 Open Source / Angular		<22.0.0-next.12

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-rfh7-fxqc-q52v	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Angular ist ein TypeScript-basiertes Front-End-Webapplikationsframework. Es ist eine Weiterentwicklung des JavaScript basierten AngularJS.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Angular ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1591 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1591.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1591 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1591"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-rfh7-fxqc-q52v vom 2026-05-19",
        "url": "https://github.com/advisories/GHSA-rfh7-fxqc-q52v"
      }
    ],
    "source_lang": "en-US",
    "title": "Angular: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2026-05-19T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-20T09:55:37.307+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1591",
      "initial_release_date": "2026-05-19T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c22.0.0-next.12",
                "product": {
                  "name": "Open Source Angular \u003c22.0.0-next.12",
                  "product_id": "T054340"
                }
              },
              {
                "category": "product_version",
                "name": "22.0.0-next.12",
                "product": {
                  "name": "Open Source Angular 22.0.0-next.12",
                  "product_id": "T054340-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:angular:angular:22.0.0-next.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c21.2.13",
                "product": {
                  "name": "Open Source Angular \u003c21.2.13",
                  "product_id": "T054341"
                }
              },
              {
                "category": "product_version",
                "name": "21.2.13",
                "product": {
                  "name": "Open Source Angular 21.2.13",
                  "product_id": "T054341-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:angular:angular:21.2.13"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c20.3.21",
                "product": {
                  "name": "Open Source Angular \u003c20.3.21",
                  "product_id": "T054342"
                }
              },
              {
                "category": "product_version",
                "name": "20.3.21",
                "product": {
                  "name": "Open Source Angular 20.3.21",
                  "product_id": "T054342-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:angular:angular:20.3.21"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c19.2.22",
                "product": {
                  "name": "Open Source Angular \u003c19.2.22",
                  "product_id": "T054343"
                }
              },
              {
                "category": "product_version",
                "name": "19.2.22",
                "product": {
                  "name": "Open Source Angular 19.2.22",
                  "product_id": "T054343-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:angular:angular:19.2.22"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Angular"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-46417",
      "product_status": {
        "known_affected": [
          "T054343",
          "T054342",
          "T054341",
          "T054340"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-46417"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46417 (GCVE-0-2026-46417)

GHSA-RFH7-FXQC-Q52V

Impact

Fix Information

Patches

Workarounds

WID-SEC-W-2026-1591

Tags

Sightings

Nomenclature