Angular Platform-Server Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular development platform, specifically in the @angular/platform-server package, prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. The vulnerability arises from improper handling of URLs during Server-Side Rendering (SSR). This allows an attacker to manipulate the application's perception of the current origin, potentially redirecting internal HttpClient requests or PlatformLocation.hostname references to an attacker-controlled server. This could expose internal APIs or metadata services.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal APIs or metadata services, by redirecting application requests to an attacker-controlled server.

Reproduction

The vulnerability can be reproduced by sending a request with a URL that includes a backslash or is protocol-relative, such as 'http://localhost:4000//evil.com'. The server will pass this URL to Angular's rendering functions, where the backslash is normalized, allowing the attacker to hijack the application's origin perception.

Remediation

Users can update to Angular versions 19.2.21, 20.3.19, 21.2.9, or 22.0.0-next.8. Additionally, developers can implement a middleware to sanitize the request URL before it reaches Angular, by removing or normalizing leading slashes.