EXECUTIVE SUMMARY:
CVE-2026-46417 with a CVSS score of 8.8 is a Server-Side Request Forgery vulnerability affecting npm/@angular/platform-server, specifically impacting versions >= 22.0.0-next.0, < 22.0.0-next.12, >= 21.0.0-next.0, < 21.2.13, >= 20.0.0-next.0, < 20.3.21, >= 19.0.0-next.0, < 19.2.22, and <= 18.2.14. The vulnerability stems from the server-side rendering engine's processing of the request URL provided to the rendering entry points, allowing an attacker to manipulate the ServerPlatformLocation and adopt an attacker-controlled domain as the "current" hostname. An attacker can exploit this by passing an absolute-form URL to the rendering engine, which is then manipulated to redirect relative HttpClient requests or PlatformLocation.hostname references to the attacker-controlled server. This potentially exposes internal APIs or metadata services, allowing an attacker to gain unauthorized access to sensitive information. The business impact and consequences of exploitation could include data breaches, unauthorized access to internal systems, and compromised user data. Prerequisites or conditions required for exploitation include passing an absolute-form URL to the rendering engine, which can be achieved by an attacker with access to the server's request entry points.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46417 with a CVSS score of 8.8 is a Server-Side Request Forgery vulnerability affecting npm/@angular/platform-server, specifically impacting versions >= 22.0.0-next.0, < 22.0.0-next.12, >= 21.0.0-next.0, < 21.2.13, >= 20.0.0-next.0, < 20.3.21, >= 19.0.0-next.0, < 19.2.22, and <= 18.2.14. The vulnerability stems from the server-side rendering engine's processing of the request URL provided to the rendering entry points, allowing an attacker to manipulate the ServerPlatformLocation and adopt an attacker-controlled domain as the "current" hostname. An attacker can exploit this by passing an absolute-form URL to the rendering engine, which is then manipulated to redirect relative HttpClient requests or PlatformLocation.hostname references to the attacker-controlled server. This potentially exposes internal APIs or metadata services, allowing an attacker to gain unauthorized access to sensitive information. The business impact and consequences of exploitation could include data breaches, unauthorized access to internal systems, and compromised user data. Prerequisites or conditions required for exploitation include passing an absolute-form URL to the rendering engine, which can be achieved by an attacker with access to the server's request entry points.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rfh7-fxqc-q52v