Search for packages
| purl | pkg:npm/%40angular/ssr@20.0.5 |
| Next non-vulnerable version | 20.3.21 |
| Latest non-vulnerable version | 22.0.0-next.7 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8v5d-ddg5-p3bv
Aliases: CVE-2026-27738 GHSA-xh43-g2fq-wjrj |
Angular SSR has an Open Redirect via X-Forwarded-Prefix An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`). 1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch). 2. Angular receives `///evil.com` as the prefix. 3. It strips one slash, leaving `//evil.com`. 4. The resulting string is used in the `Location` header. 5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-fc5v-8zkb-63bt
Aliases: CVE-2026-27739 GHSA-x288-3778-4hhx |
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: - **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain. - **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs. - **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks. This vulnerability manifests in two primary ways: - **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-nncd-fyne-e3fs
Aliases: CVE-2025-59052 GHSA-68x2-mx4q-78m7 |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
|
VCID-ucvz-8p8a-k7h4
Aliases: CVE-2026-33397 GHSA-vfx2-hv2g-xj5f |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-zp3n-sm6u-jycq
Aliases: CVE-2025-62427 GHSA-q63q-pgmf-mxhr |
Angular SSR has a Server-Side Request Forgery (SSRF) flaw The vulnerability is a **Server-Side Request Forgery (SSRF)** flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (`@angular/ssr`). The function `createRequestUrl` uses the native `URL` constructor. When an incoming request path (e.g., `originalUrl` or `url`) begins with a **double forward slash (`//`) or backslash (`\\`)**, the `URL` constructor treats it as a **schema-relative URL**. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via `DOCUMENT` or `PlatformLocation` tokens) to this attacker-controlled domain. Any subsequent **relative HTTP requests** made during the SSR process (e.g., using `HttpClient.get('assets/data.json')`) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-01T10:10:43.457849+00:00 | GitLab Importer | Affected by | VCID-ucvz-8p8a-k7h4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-33397.yml | 38.6.0 |
| 2026-06-01T09:47:18.614441+00:00 | GitLab Importer | Affected by | VCID-8v5d-ddg5-p3bv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27738.yml | 38.6.0 |
| 2026-06-01T09:46:45.662540+00:00 | GitLab Importer | Affected by | VCID-fc5v-8zkb-63bt | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27739.yml | 38.6.0 |
| 2026-06-01T09:05:15.028405+00:00 | GitLab Importer | Affected by | VCID-zp3n-sm6u-jycq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2025-62427.yml | 38.6.0 |
| 2026-06-01T08:56:05.654465+00:00 | GitLab Importer | Affected by | VCID-nncd-fyne-e3fs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2025-59052.yml | 38.6.0 |