CVE-2026-41423
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
Description
### Impact A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability exists in `@angular/platform-server` due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as `GET /\evil.com/ HTTP/1.1` the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is `evil.com`. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative `HttpClient` requests or `PlatformLocation.hostname` references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. **Affected APIs:** - `renderModule` - `renderApplication` - `CommonEngine` (from `@angular/ssr`) **Non-Affected APIs:** - `AngularAppEngine` (from `@angular/ssr`) - `AngularNodeAppEngine` (from `@angular/ssr`) ### Attack Preconditions - The server has outbound network access. - The application uses Angular SSR via the affected APIs. - A pathname is passed as URL to the rendering method (e.g. using `req.url`). - The server-side code performs HTTP requests using `HttpClient` with relative URLs or uses `PlatformLocation.hostname` to build URLs. ### Patches - 22.0.0-next.8 - 21.2.9 - 20.3.19 - 19.2.21 ### Workarounds Developers should implement a middleware to sanitize the request URL before it reaches Angular. This involves stripping or normalizing leading slashes: ```js app.use((req, res, next) => { // Sanitize the URL to ensure it starts with a single forward slash if (req.url.startsWith('//') || req.url.startsWith('/\\') || req.url.startsWith('\\')) { req.url = '/' + req.url.replace(/^[/\\]+/, ''); } next(); }); ``` ### References - [Fix](https://github.com/angular/angular/pull/68194)
How to fix CVE-2026-41423
To remediate CVE-2026-41423, upgrade the affected package to a fixed version below.
- —upgrade to 22.0.0-next.8 or later
Is CVE-2026-41423 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.