Angular SSR Flaw Enables Unauthorized Server-Side Requests
A critical vulnerability has been discovered in Angular Server-Side Rendering (SSR) that could allow attackers to perform Server-Side Request Forgery (SSRF) and Header Injection attacks. This flaw, tracked as CVE-2026-27739, enables unauthorized server-side requests in web applications, potentially leading to credential theft, internal network probing, and data exposure.
Affected Packages and Versions
The vulnerability affects multiple versions of the following packages:
@angular/ssr@nguniversal/common@nguniversal/express-engine
Details of the Vulnerability
The core issue lies in how Angular’s internal URL reconstruction logic processes user-controlled HTTP headers. Specifically, the framework trusts the Host and X-Forwarded-* family of headers to determine the application’s base origin without verifying the destination domain.
Key Areas Not Verified:
- Host Domain: The Host and X-Forwarded-Host headers were not verified against trusted origins, allowing attackers to change the application’s base to a malicious external domain.
- Path & Character Sanitization: The X-Forwarded-Host header lacked checks for path segments or special characters, enabling manipulation of the base path for relative URLs.
- Port Validation: The X-Forwarded-Port header was not strictly validated as numeric, which could lead to malformed URI construction and injection attacks.
Impact and Attack Vectors
When exploited, this vulnerability allows attackers to steer internal requests to arbitrary destinations. This is primarily achieved through Angular’s HttpClient resolving relative URLs against the unvalidated base origin or when developers manually construct URLs using unsanitized headers.
- Credential Exfiltration: Attackers can steal sensitive data, such as Authorization headers or session cookies, by redirecting requests to servers they control.
- Internal Network Probing: Malicious actors can access and transmit data from internal services, databases, or cloud metadata endpoints that are not publicly exposed.
- Confidentiality Breach: Sensitive information processed within the application’s server-side environment can be compromised.
Attack Preconditions
To successfully exploit this vulnerability, several conditions must be met:
- The target application must be using Angular SSR.
- The application must use HttpClient for relative URLs or manually build URLs using unvalidated headers.
- The attacker must be able to influence these headers directly without strict validation from a front-facing proxy.
- There must be a lack of upstream validation from infrastructure like cloud providers, CDNs, or load balancers.
Mitigation and Workarounds
Developers are strongly urged to update their @angular/ssr packages to the patched versions immediately. If an immediate upgrade is not feasible, there are workarounds available:
- Use Absolute URLs: Avoid using req.headers for URL construction and rely on trusted, hardcoded variables for your base API paths.
- Implement Strict Header Validation: Add middleware to your server.ts file to enforce numeric ports and validated hostnames, ensuring only approved domains can interact with the server.
By taking these steps, organizations can protect their Angular applications from unauthorized server-side requests and maintain the security of their internal networks.