CVE-2026-41423 Overview
CVE-2026-41423 is a Server-Side Request Forgery (SSRF) vulnerability in the @angular/platform-server package. The flaw affects Angular applications using Server-Side Rendering (SSR) prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. Attackers exploit URL parser normalization behavior, where backslashes in HTTP/HTTPS schemes are converted to forward slashes. A request such as GET /\evil.com/ HTTP/1.1 hijacks the application's internal origin state to evil.com. Subsequent relative HttpClient requests and PlatformLocation.hostname references redirect to attacker-controlled infrastructure. This weakness is tracked under [CWE-918].
Critical Impact
Attackers can redirect server-side requests to arbitrary hosts, enabling exposure of internal APIs, cloud metadata services, and other resources reachable from the SSR server.
Affected Products
- Angular @angular/platform-server versions prior to 19.2.21
- Angular @angular/platform-server versions 20.x prior to 20.3.19 and 21.x prior to 21.2.9
- Angular @angular/platform-server 22.0.0-next.0 through 22.0.0-next.7
Discovery Timeline
- 2026-05-08 - CVE-2026-41423 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41423
Vulnerability Analysis
The vulnerability resides in the parseUrl function within packages/platform-server/src/location.ts. Angular's SSR engine passes the incoming request URL string directly to the WHATWG URL constructor to derive origin context. The parser applies HTTP/HTTPS scheme-specific normalization rules that convert backslashes to forward slashes. An attacker-supplied path like /\evil.com/ is therefore parsed as the network-path reference //evil.com/, yielding evil.com as the resolved hostname.
Once the SSR engine adopts this hostname as the current origin, every relative HTTP call made by the rendered application inherits the malicious origin. The HttpClient issues outbound requests to the attacker-controlled host, and PlatformLocation.hostname returns the spoofed value to application logic.
Root Cause
The root cause is improper validation of the request URL string before delegation to the URL parser. The SSR code trusted the path component as a relative reference, but the URL specification's scheme-aware normalization promotes backslash-prefixed paths into authority components. No allowlist or origin-binding check constrained the resolved hostname to the server's actual identity.
Attack Vector
Exploitation requires only network access to a vulnerable Angular SSR endpoint. An unauthenticated attacker sends a crafted HTTP request whose path begins with a backslash followed by an arbitrary hostname. The SSR runtime then issues server-side requests against that hostname during rendering, which can reach cloud instance metadata services such as 169.254.169.254, internal microservices, or other resources behind the network perimeter.
// Patch excerpt from packages/platform-server/src/location.ts
// fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash
import {INITIAL_CONFIG} from './tokens';
// Vulnerable implementation (removed):
// function parseUrl(
// urlStr: string,
// origin: string,
// ): { hostname: string; protocol: string; port: string;
// pathname: string; search: string; hash: string; href: string; } {
// const {hostname, protocol, port, pathname, search, hash, href} =
// new URL(urlStr, origin);
// return { hostname, href, protocol, port, pathname, search, hash };
// }
/**
* Parses a URL string and returns a URL object.
* @param urlStr The string to parse.
* @param origin The origin to use for resolving the URL.
*/
// Patched parser sanitizes protocol-relative and backslash-prefixed inputs
// before delegating to the URL constructor.
Source: Angular commit ede7c58a
Detection Methods for CVE-2026-41423
Indicators of Compromise
- HTTP request lines containing backslash characters in the path, such as GET /\ or GET /\\, reaching Angular SSR endpoints.
- Outbound server-side requests from the SSR host to unexpected external domains or cloud metadata IPs like 169.254.169.254.
- SSR server logs showing PlatformLocation.hostname values that do not match the configured application origin.
Detection Strategies
- Inspect web server and reverse proxy access logs for request paths beginning with /\ or URL-encoded variants such as /%5C.
- Correlate inbound requests with outbound DNS resolutions from the Node.js SSR process to detect origin hijacking.
- Audit Angular project dependencies for @angular/platform-server versions below the patched releases.
Monitoring Recommendations
- Enable egress traffic logging from SSR workloads and alert on connections to non-allowlisted destinations, especially link-local metadata ranges.
- Track Node.js process telemetry for unexpected outbound HTTP requests during render operations.
- Add WAF rules that normalize and block backslash characters in request paths before they reach the SSR layer.
How to Mitigate CVE-2026-41423
Immediate Actions Required
- Upgrade @angular/platform-server to 19.2.21, 20.3.19, 21.2.9, or 22.0.0-next.8 depending on your release line.
- Audit application code for direct trust in PlatformLocation.hostname or relative HttpClient requests issued during SSR.
- Restrict SSR worker egress via network policy so it cannot reach cloud metadata services or sensitive internal hosts.
Patch Information
The Angular team published fixes in commit ede7c58a2aa13fdccc8f0b67ce93ba1c11749412, which hardens parseUrl against protocol-relative and backslash-prefixed inputs. See the GitHub Security Advisory GHSA-45q2-gjvg-7973 and the pull request discussion for implementation details.
Workarounds
- Deploy a reverse proxy or WAF rule that rejects HTTP requests whose path contains backslash characters or the encoded sequence %5C.
- Apply IMDSv2 enforcement on AWS and equivalent metadata protections on other cloud providers to blunt SSRF impact.
- Configure egress allowlists on the SSR container or host so outbound HTTP traffic is limited to approved upstream services.
# Upgrade Angular platform-server to a patched release
npm install @angular/platform-server@^19.2.21
# or, depending on your major version line:
npm install @angular/platform-server@^20.3.19
npm install @angular/platform-server@^21.2.9
# Verify installed version
npm ls @angular/platform-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
