CVE-2026-27739: Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application’s base origin without any validation of the destination domain.

Specifically, the framework didn’t have checks for the following:

• Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the “base” of the application to an arbitrary external domain.
• Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
• Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.

This vulnerability manifests in two primary ways:

• Implicit Relative URL Resolution: Angular’s HttpClient resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can “steer” these requests to an external server or internal service.
• Explicit Manual Construction: Developers injecting the REQUEST object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the Host / X-Forwarded-* headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.