Platform
nodejs
Component
@angular/ssr
Fixed in
21.2.1
21.0.1
20.0.1
19.2.22
16.2.1
16.2.1
21.2.0-rc.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in the Angular SSR request handling pipeline within the @angular/ssr component. This flaw allows attackers to manipulate HTTP headers, specifically the Host and X-Forwarded-* family, to trick the application into making requests to unintended internal resources. Affected versions are those prior to 21.2.0-rc.1; upgrading to this version resolves the issue.
The SSRF vulnerability in @angular/ssr poses a significant risk because it enables attackers to bypass security controls and access internal resources that should be inaccessible from the outside. An attacker could leverage this to scan internal networks, access sensitive data stored on internal servers (databases, configuration files), or even potentially execute commands on vulnerable systems if they can craft a request that triggers an internal service to perform an action. The blast radius extends to any internal service or resource accessible via HTTP, making this a high-impact vulnerability.
This vulnerability is considered high probability due to the ease of exploitation and the potential impact. While no public exploits have been widely reported, the SSRF nature of the vulnerability makes it a prime target for automated scanning and exploitation. The vulnerability was publicly disclosed on 2026-02-25. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation is to upgrade to @angular/ssr version 21.2.0-rc.1 or later, which includes the necessary fixes. If upgrading is not immediately feasible, implement strict header validation to prevent attackers from manipulating the Host and X-Forwarded-* headers. This can be achieved by whitelisting allowed domains or implementing a robust validation mechanism that verifies the destination domain before making any requests. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests.
Update Angular SSR to version 21.2.0-rc.1, 21.1.5, 20.3.17, or 19.2.21 or higher. If you cannot update immediately, avoid using `req.headers` for URL construction and use trusted variables for the API base paths. Implement middleware in your `server.ts` to enforce numeric ports and validated hostnames.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27739 is a critical SSRF vulnerability in the @angular/ssr component, allowing attackers to manipulate HTTP headers and access internal resources.
You are affected if you are using @angular/ssr versions prior to 21.2.0-rc.1 and have not implemented header validation.
Upgrade to @angular/ssr version 21.2.0-rc.1 or later. If upgrading is not possible, implement strict header validation to prevent header manipulation.
While no widespread exploitation has been confirmed, the SSRF nature of the vulnerability makes it a potential target for attackers.
Refer to the official Angular security advisories for detailed information and updates regarding CVE-2026-27739.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.