Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN481
_____________________________________________________________________

DATE                : 12/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running @angular/platform-server (npm)
                      versions prior to 22.0.0-next.8, 21.2.9,
                                   20.3.19, 19.2.21.

=====================================================================
https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
_____________________________________________________________________

SSRF via protocol-relative and backslash URLs in Angular Platform-Server
High	alan-agius4 published GHSA-45q2-gjvg-7973

Package
 @angular/platform-server (npm)

Affected versions
>= 22.0.0-next.0 < 22.0.0-next.8
>= 21.0.0-next.0 < 21.2.9
>= 20.0.0-next.0 < 20.3.19
>= 19.0.0-next.0 < 19.2.21
<= 18.2.14

Patched versions
22.0.0-next.8
21.2.9
20.3.19
19.2.21
n/a


Description

Impact
A Server-Side Request Forgery (SSRF) vulnerability exists in
@angular/platform-server due to improper handling of URLs
during Server-Side Rendering (SSR).

When an attacker sends a request such as
GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.)
passes the URL string to Angular’s rendering functions.

Because the URL parser normalizes the backslash to a forward
slash for HTTP/HTTPS schemes, the internal state of the
application is hijacked to believe the current origin is
evil.com. This misinterpretation tricks the application into
treating the attacker’s domain as the local origin.
Consequently, any relative HttpClient requests or
PlatformLocation.hostname references are redirected to the
attacker controlled server, potentially exposing internal
APIs or metadata services.

Affected APIs:

renderModule
renderApplication
CommonEngine (from @angular/ssr)
Non-Affected APIs:

AngularAppEngine (from @angular/ssr)
AngularNodeAppEngine (from @angular/ssr)
Attack Preconditions
The server has outbound network access.
The application uses Angular SSR via the affected APIs.
A pathname is passed as URL to the rendering method (e.g. using req.url).
The server-side code performs HTTP requests using HttpClient
with relative URLs or uses PlatformLocation.hostname to build
URLs.


Patches
22.0.0-next.8
21.2.9
20.3.19
19.2.21


Workarounds

Developers should implement a middleware to sanitize the request
URL before it reaches Angular. This involves stripping or
normalizing leading slashes:

app.use((req, res, next) => {
  // Sanitize the URL to ensure it starts with a single forward slash
  if (req.url.startsWith('//') || req.url.startsWith('/\\') || req.url.startsWith('\\')) {
     req.url = '/' + req.url.replace(/^[/\\]+/, '');
  }
  next();
});


References
Fix


Severity
High
8.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
High
Integrity
None
Availability
None
Subsequent System Impact Metrics
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

CVE ID
CVE-2026-41423

Weaknesses
WeaknessCWE-918

Credits
@YLChen-007 YLChen-007
Reporter
@alan-agius4 alan-agius4
Remediation developer
@AndrewKushnir AndrewKushnir
Remediation reviewer
@josephperrott josephperrott
Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================