Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: Host Domain: The Host and X-Forwarded-Host headers were not checked …