{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T02:20:55.981","vulnerabilities":[{"cve":{"id":"CVE-2026-27739","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T18:23:40.800","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames."},{"lang":"es","value":"Angular SSR es una herramienta de renderizado del lado del servidor para aplicaciones Angular. Las versiones anteriores a 21.2.0-rc.1, 21.1.5, 20.3.17 y 19.2.21 tienen una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) en la cadena de manejo de peticiones de Angular SSR. La vulnerabilidad existe porque la lógica interna de reconstrucción de URL de Angular confía y consume directamente los encabezados HTTP controlados por el usuario, específicamente los de la familia Host y 'X-Forwarded-*', para determinar el origen base de la aplicación sin ninguna validación del dominio de destino. Específicamente, el framework no tenía comprobaciones para el dominio del host, la sanitización de rutas y caracteres, y la validación del puerto. Esta vulnerabilidad se manifiesta de dos formas principales: resolución implícita de URL relativas y construcción manual explícita. Cuando se explota con éxito, esta vulnerabilidad permite la dirección arbitraria de peticiones internas. Esto puede llevar a la exfiltración de credenciales, el sondeo de redes internas y una violación de la confidencialidad. Para ser vulnerable, la aplicación víctima debe usar Angular SSR (Server-Side Rendering), la aplicación debe realizar peticiones 'HttpClient' usando URL relativas O construir URL manualmente usando los encabezados 'Host' / 'X-Forwarded-*' no validados usando el objeto 'REQUEST', el servidor de aplicaciones debe ser accesible por un atacante que pueda influir en estos encabezados sin una validación estricta de un proxy frontal, y la infraestructura (Nube, CDN o Balanceador de Carga) no debe sanitizar o validar los encabezados entrantes. Las versiones 21.2.0-rc.1, 21.1.5, 20.3.17 y 19.2.21 contienen un parche. Algunas soluciones alternativas están disponibles. Evite usar 'req.headers' para la construcción de URL. En su lugar, use variables de confianza para las rutas base de la API. Aquellos que no puedan actualizar inmediatamente deben implementar un middleware en su 'server.ts' para exigir puertos numéricos y nombres de host validados."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf","source":"security-advisories@github.com"},{"url":"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/pull/32516","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx","source":"security-advisories@github.com"}]}}]}