chore(deps): update dependency @angular/ssr to v20.3.17 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/ssr	20.3.3 → 20.3.17

---

Angular SSR has a Server-Side Request Forgery (SSRF) flaw

CVE-2025-62427 / GHSA-q63q-pgmf-mxhr

More information

Details

Impact

The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario

A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

• @angular/ssr 19.2.18
• @angular/ssr 20.3.6
• @angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware

If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
  if (req.originalUrl?.startsWith('//')) {
    // Sanitize by forcing a single slash
    req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
    req.url = req.url.replace(/^\/\/+/, '/');
  }
  next();
});

References

• Report: https://github.com/angular/angular-cli/issues/31464
• Fix: https://github.com/angular/angular-cli/pull/31474

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr
• https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb
• https://nvd.nist.gov/vuln/detail/CVE-2025-62427
• https://github.com/advisories/GHSA-q63q-pgmf-mxhr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Angular SSR has an Open Redirect via X-Forwarded-Prefix

CVE-2026-27738 / GHSA-xh43-g2fq-wjrj

More information

Details

An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).

1. The application processes a redirect (e.g., from a router redirectTo or i18n locale switch).
2. Angular receives ///evil.com as the prefix.
3. It strips one slash, leaving //evil.com.
4. The resulting string is used in the Location header.
5. Modern browsers interpret // as a protocol-relative URL, redirecting the user from https://your-app.com to https://evil.com.

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

• Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
• SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
• Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Attack Preconditions

• The application must use Angular SSR.
• The application must have routes that perform internal redirects.
• The infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without sanitization.
• The cache must not vary on the X-Forwarded-Prefix header.

Patches

• 21.2.0-rc.1
• 21.1.5
• 20.3.17
• 19.2.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in theirserver.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix']?.trim();
  if (prefix) {
    // Sanitize by removing all leading slashes
    req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
  }
  next();
});

Resources

• Report
• Fix

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj
• https://nvd.nist.gov/vuln/detail/CVE-2026-27738
• https://github.com/angular/angular-cli/issues/32501
• https://github.com/angular/angular-cli/pull/32521
• https://github.com/angular/angular-cli/commit/f086eccc36d10cf01c426e35864bc32e1e292323
• https://github.com/advisories/GHSA-xh43-g2fq-wjrj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline

CVE-2026-27739 / GHSA-x288-3778-4hhx

More information

Details

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.

Specifically, the framework didn't have checks for the following:

• Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
• Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
• Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.

This vulnerability manifests in two primary ways:

• Implicit Relative URL Resolution: Angular's HttpClient resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service.
• Explicit Manual Construction: Developers injecting the REQUEST object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the Host / X-Forwarded-* headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.

Impact

When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:

• Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
• Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
• Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.

Attack Preconditions

• The victim application must use Angular SSR (Server-Side Rendering).
• The application must perform HttpClient requests using relative URLs OR manually construct URLs using the unvalidated Host / X-Forwarded-* headers using the REQUEST object.
• Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
• Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.

Patches

• 21.2.0-rc.1
• 21.1.5
• 20.3.17
• 19.2.21

Workarounds

• Use Absolute URLs: Avoid using req.headers for URL construction. Instead, use trusted variables for your base API paths.
• Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your server.ts to enforce numeric ports and validated hostnames.

const ALLOWED_HOSTS = new Set(['your-domain.com']);

app.use((req, res, next) => {
  const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
  const portHeader = req.headers['x-forwarded-port']?.toString();

  if (hostHeader) {
    const hostname = hostHeader.split(':')[0];
    // Reject if hostname contains path separators or is not in allowlist
    if (/^[a-z0-9.:-]+$/i.test(hostname) || 
       (!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
      return res.status(400).send('Invalid Hostname');
    }
  }

  // Ensure port is strictly numeric if provided
  if (portHeader && !/^\d+$/.test(portHeader)) {
    return res.status(400).send('Invalid Port');
  }

  next();
});

References

• Fix
• Docs

Severity

• CVSS Score: 9.2 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

References

• https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx
• https://nvd.nist.gov/vuln/detail/CVE-2026-27739
• https://github.com/angular/angular-cli/pull/32516
• https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
• https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF
• https://github.com/advisories/GHSA-x288-3778-4hhx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular-cli (@​angular/ssr)

v20.3.17

Compare Source

@​angular/ssr

Commit	Type	Description
8700e18d7	fix	prevent open redirect via X-Forwarded-Prefix header
67582a946	fix	validate host headers to prevent header-based SSRF

v20.3.16

Compare Source

@​angular/cli

Commit	Type	Description
656888a25	fix	update dependency @​modelcontextprotocol/sdk to v1.26.0

v20.3.15

Compare Source

@​angular/cli

Commit	Type	Description
795d65413	fix	update pacote to v21.0.4

@​angular-devkit/build-angular

Commit	Type	Description
ffc72cbc5	fix	update webpack to version 5.104.1

v20.3.14

Compare Source

@​angular/cli

Commit	Type	Description
ff366499e	fix	update dependency @​modelcontextprotocol/sdk to v1.25.2

v20.3.13

Compare Source

@​angular/cli

Commit	Type	Description
cfbb61602	fix	update @modelcontextprotocol/sdk to v1.24.0

v20.3.12

Compare Source

@​angular/build

Commit	Type	Description
25bb7e65c	fix	ensure correct URL joining for prerender routes

@​angular/ssr

Commit	Type	Description
cceb86296	fix	handle X-Forwarded-Prefix and APP_BASE_HREF in redirects
1abe68ad8	fix	prevent redirect loop with encoded query parameters

v20.3.11

Compare Source

@​angular/build

Commit	Type	Description
8053f2d92	fix	ensure ɵgetOrCreateAngularServerApp is always defined after errors

v20.3.10

Compare Source

@​schematics/angular

Commit	Type	Description
c854a719b	fix	correct tsconfig.spec.json include for spec files

@​angular/build

Commit	Type	Description
b3908f68e	fix	do not remove @angular/localize when having external packages (#​31721)

v20.3.9

Compare Source

@​angular/ssr

Commit	Type	Description
08e07e338	fix	improve locale handling in app-engine
683697ebc	fix	improve route matching for wildcard routes

v20.3.8

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
813cba9b9	fix	expand jest and jest-environment-jsdom to allow version 30

@​angular/build

Commit	Type	Description
542973ab0	fix	add adapters to new reporter
f0885691d	fix	ensure locale data plugin runs before other plugins
45e498f95	fix	handle redirects from guards during prerendering

v20.3.7

Compare Source

@​angular-devkit/schematics

Commit	Type	Description
a31533cf4	fix	respect --force option when schematic contains host.create

@​angular/build

Commit	Type	Description
8cdda111c	fix	resolve Angular locale data namespace in esbuild
5847ccc54	fix	update vite to 7.11.1

@​angular/ssr

Commit	Type	Description
3a28fb6a1	fix	correctly handle routes with matrix parameters
5db6d6487	fix	ensure server-side navigation triggers a redirect

v20.3.6

Compare Source

@​angular/ssr

Commit	Type	Description
5271547c8	fix	prevent malicious URL from overriding host

v20.3.5

Compare Source

@​angular/build

Commit	Type	Description
7f7140680	fix	cleanup karma temporary directory after process exit

v20.3.4

Compare Source

@​schematics/angular

Commit	Type	Description
c94bf7ff0	fix	Out of the box support for PM2
465436c9f	fix	use bracket notation for process.env['pm_id']

@​angular-devkit/build-angular

Commit	Type	Description
bc6b63114	fix	mark InjectionToken as pure for improved tree-shaking

@​angular/build

Commit	Type	Description
e510ff828	fix	mark InjectionToken as pure for improved tree-shaking

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 55e1b2c

Command	Status	Duration	Result
nx run-many --target=build --all	❌ Failed	1m 2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-02 19:48:31 UTC