High-Severity SSRF Flaw Uncovered in Angular’s Server-Side Rendering

Angular stands as a titan, powering everything from sleek mobile apps to massive enterprise desktop platforms. However, a high-severity security vulnerability has recently been unmasked in the @angular/platform-server package, revealing a “backdoor” that allows attackers to hijack the internal state of a server during rendering.

The vulnerability, which carries a CVSS score of 8.7, involves a Server-Side Request Forgery (SSRF) that leverages improper URL handling during Server-Side Rendering (SSR).

The flaw centers on how Angular’s rendering functions process specific URL strings passed from the server engine (such as Express). An attacker can trigger the vulnerability by sending a request using a protocol-relative URL or a backslash, such as GET /\evil.com/ HTTP/1.1.

The technical breakdown reveals a dangerous normalization error:

The Normalization Gate: Because the URL parser automatically normalizes a backslash into a forward slash for HTTP and HTTPS schemes, the application’s internal state is effectively hijacked.

• Origin Deception: This misinterpretation tricks the application into believing that the attacker’s domain (e.g., evil.com) is actually the “local origin”.
• Redirected Traffic: Once the origin is hijacked, any relative HttpClient requests or PlatformLocation.hostname references are silently redirected to the attacker-controlled server.
• This creates a high-risk scenario where internal APIs, sensitive metadata services, or private internal endpoints could be exposed to an external adversary.

For an attack to be successful, several conditions must be met, including the server having outbound network access and the application utilizing specific affected APIs for SSR.

Affected APIs:

• renderModule
• renderApplication
• Common Engine (from @angular/ssr)

The vulnerability does not affect the newer AngularAppEngine or AngularNodeAppEngine from the @angular/ssr package.

The Angular team has moved swiftly to release patches across multiple version lines. Developers are strongly encouraged to update their dependencies immediately to one of the following versions:

• 22.0.0-next.8
• 21.2.9
• 20.3.19
• 19.2.21

For teams that cannot upgrade immediately, a workaround involves implementing middleware to sanitize incoming request URLs before they ever reach the Angular rendering engine. This should be configured to strip or normalize leading slashes to ensure the URL always starts with a single forward slash.

app.use((req, res, next) => {
  // Sanitize the URL to ensure it starts with a single forward slash
  if (req.url.startsWith('//') || req.url.startsWith('/\\') || req.url.startsWith('\\')) {
     req.url = '/' + req.url.replace(/^[/\\]+/, '');
  }
  next();
});

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy