{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46417", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-13T21:04:10.933Z", "datePublished": "2026-06-22T15:40:32.527Z", "dateUpdated": "2026-06-30T03:15:36.788Z"}, "containers": {"cna": {"title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"}, {"name": "https://github.com/angular/angular/pull/68570", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/pull/68570"}], "affected": [{"vendor": "angular", "product": "angular", "versions": [{"version": ">= 22.0.0-next.0, < 22.0.0-next.12", "status": "affected"}, {"version": ">= 21.0.0-next.0, < 21.2.13", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.21", "status": "affected"}, {"version": ">= 19.0.0-next.0, < 19.2.22", "status": "affected"}, {"version": "<= 18.2.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T15:48:53.298Z"}, "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."}], "source": {"advisory": "GHSA-rfh7-fxqc-q52v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T14:16:15.745160Z", "id": "CVE-2026-46417", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:18:28.135Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "defaultStatus": "affected", "product": "Red Hat Fuse 7", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat"}], "datePublic": "2026-06-22T15:40:32.527Z", "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-46417"}, {"name": "RHBZ#2491444", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json"}], "timeline": [{"lang": "en", "time": "2026-06-22T18:01:21.611Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-22T15:40:32.527Z", "value": "Made public."}], "title": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server", "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:15:36.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}], "affected": [{"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-06-22T18:01:21.611Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-22T15:40:32.527Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-06-22T15:40:32.527Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-46417", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444", "name": "RHBZ#2491444", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json", "tags": ["x_sadp-csaf-vex"]}], "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:15:36.788Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-46417", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T14:16:15.745160Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:16:20.310Z"}}], "cna": {"title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server", "source": {"advisory": "GHSA-rfh7-fxqc-q52v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "angular", "product": "angular", "versions": [{"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-next.12"}, {"status": "affected", "version": ">= 21.0.0-next.0, < 21.2.13"}, {"status": "affected", "version": ">= 20.0.0-next.0, < 20.3.21"}, {"status": "affected", "version": ">= 19.0.0-next.0, < 19.2.22"}, {"status": "affected", "version": "<= 18.2.14"}]}], "references": [{"url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v", "name": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/angular/angular/pull/68570", "name": "https://github.com/angular/angular/pull/68570", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T15:48:53.298Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46417", "state": "PUBLISHED", "dateUpdated": "2026-06-30T03:15:36.788Z", "dateReserved": "2026-05-13T21:04:10.933Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T15:40:32.527Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server", "id": "2491444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444"}, "csaw": false, "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."}, "name": "CVE-2026-46417", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet5.0-build-reference-packages", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "platform-server", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-06-22T15:40:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46417\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46417\nhttps://github.com/angular/angular/pull/68570\nhttps://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"], "statement": "This Important Server-Side Request Forgery (SSRF) vulnerability in `@angular/platform-server` within Red Hat JBoss Fuse allows an attacker to redirect internal `HttpClient` requests or `PlatformLocation.hostname` references to an arbitrary external server. This occurs when an absolute-form URL is provided to the server-side rendering engine, potentially exposing internal APIs or metadata services. Red Hat Enterprise Linux is not affected as the vulnerable code is not in its execution path.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.0.0-next.0,22.0.0-next.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0-next.0,21.2.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0-next.0,20.3.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0-next.0,19.2.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,18.2.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "angular", "source": "cna", "vendor": "angular"}, "product": "angular", "vendor": "angular"}], "created": "2026-06-22T18:30:15.400361+00:00", "updated": "2026-06-22T20:00:06.025639+00:00", "vendors": ["angular", "angular$PRODUCT$angular"]}