CVE-2026-46417
@angular/platform-server: SSRF via Hostname Hijacking
Description
### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., `http://evil.com`) is passed to the rendering engine, the internal `ServerPlatformLocation` can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative `HttpClient` requests or `PlatformLocation.hostname` references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. ### Fix Information The vulnerability is mitigated by introducing an Allowlist Mechanism directly into the core rendering APIs. The renderModule and renderApplication functions now include an allowedHosts configuration option. The rendering engine validates the hostname extracted from the request URL against this list before proceeding. If the hostname does not match an allowed entry, the engine prevents the hostname hijacking, ensuring that HttpClient requests remain restricted to trusted domains. ### Patches - 22.0.0-next.12 - 21.2.13 - 20.3.21 - 19.2.22 ### Workarounds Developers unable to update immediately should implement strict URL validation in their server entry point (e.g., `server.ts`). Ensure that `req.url` is validated against a known list of trusted hostnames or normalized to a relative path before being passed to`renderApplication` or `renderModule`. ```TypeScript // Example manual normalization in Express app.get('*', (req, res, next) => { const trustedHost = 'localhost:4000'; // Ensure the request target matches expectations if (req.headers.host !== trustedHost) { return res.status(403).send('Forbidden'); } next(); }); ```
How to fix CVE-2026-46417
To remediate CVE-2026-46417, upgrade the affected package to a fixed version below.
- —upgrade to 22.0.0-next.12 or later
Is CVE-2026-46417 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46417.
Affected packages (1)
- >= 22.0.0-next.0, < 22.0.0-next.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N |