build(deps): update dependency @angular/platform-server to v20.3.19 [security] by renovate[bot] · Pull Request #769 · davidlj95/chrislb

renovate · 2026-04-17T01:33:33Z

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/platform-server (source)	`20.3.0` → `20.3.19`

Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

GHSA-45q2-gjvg-7973

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR).

When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions.

Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services.

Affected APIs:

renderModule
renderApplication
CommonEngine (from @angular/ssr)

Non-Affected APIs:

AngularAppEngine (from @angular/ssr)
AngularNodeAppEngine (from @angular/ssr)

Attack Preconditions

The server has outbound network access.
The application uses Angular SSR via the affected APIs.
A pathname is passed as URL to the rendering method (e.g. using req.url).
The server-side code performs HTTP requests using HttpClient with relative URLs or uses PlatformLocation.hostname to build URLs.

Patches

22.0.0-next.8
21.2.9
20.3.19
19.2.21

Workarounds

Developers should implement a middleware to sanitize the request URL before it reaches Angular. This involves stripping or normalizing leading slashes:

app.use((req, res, next) => {
  // Sanitize the URL to ensure it starts with a single forward slash
  if (req.url.startsWith('//') || req.url.startsWith('/\\') || req.url.startsWith('\\')) {
     req.url = '/' + req.url.replace(/^[/\\]+/, '');
  }
  next();
});

References

Fix

Severity

CVSS Score: 8.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@angular/platform-server)

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

Commit	Type	Description
f9d0818087	fix	support arbitrary nesting in :host-context()
106b9040df	fix	support commas in :host() argument
9419ea348a	fix	support complex selectors in :nth-child()
036c5d2a07	fix	support one additional level of nesting in :host()

Commit	Type	Description
4c89a267c3	fix	pass element removal property through in all locations (#64565)
2fad4d4ab6	fix	prevent duplicate nodes from being retained with fast `animate.leave`` calls (#64592)

Commit	Type	Description
cfd8ed3fff	fix	Fix outlet serialization and parsing with no primary children (#64505)
182fe78f91	fix	Surface parse errors in Router.parseUrl (#64503)

Commit	Type	Description
8dec92ff9f	fix	capture metadata for undecorated fields (#63957) (#64317)
c2e817b0ef	perf	fix performance of "interpolated signal not invoked" check (#64410)

Commit	Type	Description
f15cfa4cc4	fix	fixes regression in `animate.leave` function bindings (#64413)
d54dd674ca	fix	Prevents early style pruning with leave animations (#64335)

Commit	Type	Description
554573e524	fix	migrating input with more than 1 usage in a method (#64367)
2c79ca0b57	fix	remove error for no matching files in control flow migration (#64253) (#64314)

Commit	Type	Description
853ed169a8	fix	ensure missing leave animations don't queue leave animations (#64226)
6fed986b7a	fix	Fixes animations in conjunction with content projection (#63776)
76fe5599fe	fix	handle undefined CSS time values in parseCssTimeUnitsToMs function (#64181)
3b959105be	fix	prevent early exit from leave animations when multiple transitions are present (#64225)

Commit	Type	Description
542cd0019a	fix	do not rename ARIA property bindings to attributes (#64089)
0e928fbc4a	fix	Fixes animations in conjunction with content projection (#63776)
e5157bd933	fix	prevents unintended early termination of leave animations and hoisting (#64088)

Commit	Type	Description
1710cbd7d4	fix	handle shorthand property declarations in NgModule (#64160)
77b6305a4b	fix	skip migration for inputs with 'this' references (#64142)

Commit	Type	Description
16d0d43ad4	fix	handle import aliases to the same module name (#63934)
3ebaeccb46	fix	handle reused templates in control flow migration (#63996)

Commit	Type	Description
ba40153ac0	fix	capture metadata for undecorated fields (#63904)
1d4f81c8ee	fix	resolve import alias in defer blocks (#63966)

Commit	Type	Description
9515a70933	fix	fix narrowing of `Resource.hasValue()` (#63994)
e78451cf8a	fix	prevent animations renderer from impacting `animate.leave` (#63921)

Conversation

renovate Bot commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Details

Impact

Attack Preconditions

Patches

Workarounds

References

Severity

References

Release Notes

platform-server

compiler

core

Breaking Changes

core

core

core

compiler

http

common

compiler

core

compiler-cli

migrations

animations

compiler

compiler-cli

core

router

core

platform-browser

compiler-cli

core

migrations

router

core

migrations

compiler

core

migrations

compiler-cli

core

forms

migrations

compiler

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 17, 2026 •

edited

Loading