{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/angular/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@angular/platform-server (\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12)","@angular/platform-server (\u003e= 21.0.0-next.0, \u003c 21.2.13)","@angular/platform-server (\u003e= 20.0.0-next.0, \u003c 20.3.21)","@angular/platform-server (\u003e= 19.0.0-next.0, \u003c 19.2.22)","@angular/platform-server (\u003c= 18.2.14)"],"_cs_severities":["high"],"_cs_tags":["ssrf","angular","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Angular"],"content_html":"\u003cp\u003eA Server-Side Request Forgery (SSRF) vulnerability has been identified in \u003ccode\u003e@angular/platform-server\u003c/code\u003e. This vulnerability arises from the server-side rendering (SSR) engine\u0026rsquo;s handling of request URLs. When an absolute-form URL (e.g., \u003ccode\u003ehttp://evil.com\u003c/code\u003e) is provided to the rendering engine, the internal \u003ccode\u003eServerPlatformLocation\u003c/code\u003e can be manipulated. This manipulation allows an attacker to set the hostname to an attacker-controlled domain. This issue impacts versions of \u003ccode\u003e@angular/platform-server\u003c/code\u003e prior to the patched versions: 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22 and also impacts versions \u003ccode\u003e\u0026lt;= 18.2.14\u003c/code\u003e. This vulnerability enables the redirection of relative \u003ccode\u003eHttpClient\u003c/code\u003e requests and \u003ccode\u003ePlatformLocation.hostname\u003c/code\u003e references to the attacker\u0026rsquo;s server, potentially exposing internal APIs or metadata services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL with an absolute form (e.g., \u003ccode\u003ehttp://evil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis malicious URL is passed to the \u003ccode\u003e@angular/platform-server\u003c/code\u003e rendering engine\u0026rsquo;s entry points (\u003ccode\u003erenderModule\u003c/code\u003e or \u003ccode\u003erenderApplication\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eServerPlatformLocation\u003c/code\u003e internal component processes the URL.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, \u003ccode\u003eServerPlatformLocation\u003c/code\u003e is manipulated to adopt the attacker-controlled domain (\u003ccode\u003eevil.com\u003c/code\u003e) as the \u0026ldquo;current\u0026rdquo; hostname.\u003c/li\u003e\n\u003cli\u003eThe Angular application, during server-side rendering, makes a relative \u003ccode\u003eHttpClient\u003c/code\u003e request (e.g., \u003ccode\u003e/api/internal\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis relative request, intended for the legitimate server, is now redirected to \u003ccode\u003ehttp://evil.com/api/internal\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the redirected request, potentially containing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal APIs or metadata services through the redirected request.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-46417) can lead to the exposure of sensitive internal APIs and metadata services. An attacker could potentially gain access to confidential data, modify application settings, or perform unauthorized actions on behalf of the server. This can lead to data breaches, system compromise, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the patched versions of \u003ccode\u003e@angular/platform-server\u003c/code\u003e: 22.0.0-next.12, 21.2.13, 20.3.21, or 19.2.22 to mitigate the vulnerability as noted in the advisory.\u003c/li\u003e\n\u003cli\u003eFor developers unable to update immediately, implement strict URL validation in their server entry point (e.g., \u003ccode\u003eserver.ts\u003c/code\u003e) as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Angular platform-server SSRF via Hostname Hijacking (CVE-2026-46417)\u0026rdquo; to detect potential exploitation attempts by monitoring server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:31:18Z","date_published":"2026-05-19T20:31:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-angular-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in `@angular/platform-server` due to improper processing of the request URL by the server-side rendering engine, allowing attackers to redirect relative HTTP requests to attacker-controlled servers, potentially exposing internal APIs or metadata services; patch CVE-2026-46417 immediately.","title":"Angular platform-server SSRF via Hostname Hijacking (CVE-2026-46417)","url":"https://feed.craftedsignal.io/briefs/2026-05-angular-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Angular","version":"https://jsonfeed.org/version/1.1"}