chore(deps): update dependency @angular/ssr to v21.2.3 [security] by renovate[bot] · Pull Request #423 · netlify/angular-runtime

renovate · 2026-03-19T22:17:03Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	`21.0.0` → `21.2.3`

GitHub Vulnerability Alerts

CVE-2026-27738

An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).

The application processes a redirect (e.g., from a router redirectTo or i18n locale switch).
Angular receives ///evil.com as the prefix.
It strips one slash, leaving //evil.com.
The resulting string is used in the Location header.
Modern browsers interpret // as a protocol-relative URL, redirecting the user from https://your-app.com to https://evil.com.

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Attack Preconditions

The application must use Angular SSR.
The application must have routes that perform internal redirects.
The infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without sanitization.
The cache must not vary on the X-Forwarded-Prefix header.

Patches

21.2.0-rc.1
21.1.5
20.3.17
19.2.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in theirserver.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix']?.trim();
  if (prefix) {
    // Sanitize by removing all leading slashes
    req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
  }
  next();
});

Resources

Report
Fix

CVE-2026-27739

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.

Specifically, the framework didn't have checks for the following:

Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.

This vulnerability manifests in two primary ways:

Implicit Relative URL Resolution: Angular's HttpClient resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service.
Explicit Manual Construction: Developers injecting the REQUEST object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the Host / X-Forwarded-* headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.

Impact

When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:

Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.

Attack Preconditions

The victim application must use Angular SSR (Server-Side Rendering).
The application must perform HttpClient requests using relative URLs OR manually construct URLs using the unvalidated Host / X-Forwarded-* headers using the REQUEST object.
Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.

Patches

21.2.0-rc.1
21.1.5
20.3.17
19.2.21

Workarounds

Use Absolute URLs: Avoid using req.headers for URL construction. Instead, use trusted variables for your base API paths.
Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your server.ts to enforce numeric ports and validated hostnames.

const ALLOWED_HOSTS = new Set(['your-domain.com']);

app.use((req, res, next) => {
  const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
  const portHeader = req.headers['x-forwarded-port']?.toString();

  if (hostHeader) {
    const hostname = hostHeader.split(':')[0];
    // Reject if hostname contains path separators or is not in allowlist
    if (/^[a-z0-9.:-]+$/i.test(hostname) || 
       (!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
      return res.status(400).send('Invalid Hostname');
    }
  }

  // Ensure port is strictly numeric if provided
  if (portHeader && !/^\d+$/.test(portHeader)) {
    return res.status(400).send('Invalid Port');
  }

  next();
});

References

Fix
Docs

CVE-2026-33397

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

An attacker provides a value starting with a single backslash (e.g., \evil.com).
The internal validation failed to flag the single backslash as invalid.
The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

22.0.0-next.2
21.2.3
20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

Fix: https://github.com/angular/angular-cli/pull/32771
Original CVE: CVE-2026-27738

Release Notes

angular/angular-cli (@angular/ssr)

Commit	Type	Description
75fa94cad	fix	alias createRequire banner import to avoid duplicate binding
d009aa1ec	fix	only use external packages for polyfills when no local files are present

Commit	Type	Description
f3e0e82c2	fix	disallow x-forwarded-prefix starting with a backslash
b8bcd59b4	fix	ensure unique values in redirect response Vary header
84385411d	fix	support custom headers in redirect responses

Commit	Type	Description
8447d9132	fix	conditionally quote package names when adding dependencies based on host requirements
d2f209823	fix	preserve exact version in ng add when requested
28f4d684a	perf	avoid redundant package version resolution in ng add

Commit	Type	Description
06010294f	fix	allow any `CHROME_BIN` for vitest playwright provider
8dec0c62b	fix	normalize line endings for CSP hash generation
58688ebd7	fix	pass process environment variables to prerender workers
4ca61647f	fix	resolve assets correctly during i18n prerendering

Commit	Type	Description
ae4c28d00	fix	correct dev dependency detection logic in `ng add`
465073bc1	fix	disable npm update notifier in package manager host
36270634f	fix	ensure group members are updated to targeted version
d87dba6af	fix	ignore unknown files when formatting schematic changes

Commit	Type	Description
6ad860863	fix	bundle polyfills to preserve execution order in dev server
d17397375	fix	conditionally allow `vi.mock` for non-relative imports
0d49f86ed	fix	resolve style include paths relative to `ng-package.json` in unit-test builder
584f6a2d9	fix	treat empty browsers array as undefined in unit-test builder
6699cdc9b	perf	fix memory leak in `ng serve` with i18n

Commit	Type	Description
43a9dfa66	fix	improve header validation logic
dee3717b3	fix	introduce DI token to signal route discovery process

Commit	Type	Description
0dd04f289	feat	add markdown files to Prettier's formatting list
fbae1b6ab	feat	automatic formatting files modified by schematics
91b9d281f	feat	integrate file formatting into update migrations
98a24d040	feat	standardize MCP tools around workspace/project options
d9cd609c5	fix	correctly parse scoped packages in yarn classic list output
5b05f2500	fix	enable shell option for Prettier execution on Windows platforms
25b8a157d	fix	quote complex range specifiers in package manager
6f29a8c35	fix	renamed files by their new path in the schematic workflow
201a036f2	fix	simplify Angular version compatibility checks and add special handling for local builds of new major versions
cdd26bb66	fix	validate package manager version using `semver.valid` and throw an error if invalid
bc363af8b	perf	optimize package manager discovery with stat-based probing

Commit	Type	Description
aa7381efd	feat	add a '.prettierrc' file to generated workspaces and add Prettier as dev dependency
f80db6fb7	feat	add ng-add support for Vitest browser providers
5d1df50d8	fix	add actionable feedback to vitest-browser schematic

Commit	Type	Description
ece30f235	feat	add headless option to unit-test builder
cad7a7c0f	feat	run vitest browser with playwright with OS theme
0b4982720	fix	adjust sourcemap sources when Vitest wrapper is bypassed
1f114a9e8	fix	bundle setup files in unit-test builder for Vitest
fd5cb28c8	fix	explicitly fail when using Vitest runtime mocking
dc899e8a5	fix	normalize `allowedHosts` in dev-server
26bbea12f	fix	serve extensionless assets without transformation

Commit	Type	Description
9da6d8fa7	fix	correct vscode MCP configuration for new projects
361758c75	fix	remove special characters from jasmine-vitest report filename

Commit	Type	Description
1b7e3307a	fix	allow application assets in workspace root
d1e596dc5	fix	prevent incorrect catch binding removal in downleveled for-await
98ef0981a	fix	update undici to v7.18.2

Commit	Type	Description
772e6efe7	feat	add 'test' and 'e2e' MCP tools
8efb86318	feat	Add "all" as an experimental tool group
c3c9ac506	feat	Add MCP tools for building and running devservers
d635a6c63	feat	add signal forms lessons
d8b76e93d	fix	correctly handle yarn classic tag manifest fetching
7ab5c0b0a	fix	correctly spawn package managers on Windows in new abstraction
348096623	fix	enhance list_projects MCP tool file system traversal and symlink handling
316fca862	fix	handle array output from npm view in manifest parser
032257a6d	fix	improve signal forms lesson examples in AI tutor
18d74dde8	fix	rename mcp devserver tools to comply with naming spec
1ad773671	fix	update dependency @modelcontextprotocol/sdk to v1.25.2
45d4f5668	fix	update yarn berry package manager configuration
122ed27c9	fix	use project-local temporary directory in ng add
a15db28b2	perf	cache resolved specific version in package manager abstraction
240588b7e	perf	optimize `ng add` version discovery

Commit	Type	Description
cbd0718b9	fix	move 'provideZoneChangeDetection' to the root module
33f7cf761	fix	update application schematics for module-based apps to use 'provideZoneChangeDetection'
37b14d1f7	fix	update default app component message
c37dccb09	fix	update default app component welcome message

Commit	Type	Description
8695d6063	fix	prevent open redirect via X-Forwarded-Prefix header
e4d445ec6	fix	validate host headers to prevent header-based SSRF

Commit	Type	Description
80911af67	fix	loosen Vitest dependency checks when runnerConfig is used
2d30639d3	fix	support merging coverage thresholds with Vitest runnerConfig

Commit	Type	Description
36cf3afb4	feat	add browserMode option to jasmine-vitest schematic
e71a72ffd	feat	generate detailed migration report for `refactor-jasmine-vitest`
18cf6c51b	fix	add MCP configuration file to new workspaces

Commit	Type	Description
1eda0a99f	feat	directly support ng-packagr in unit-test builder
87175f9dc	feat	disable TestBed teardown during debugging in Vitest
1e39c77a4	fix	inject source-map-support for Vitest browser tests
3fd7dcd76	fix	normalize roots to POSIX in test discovery for Windows compatibility
164e7dbbc	fix	resolve test files correctly on Windows when using non-C drives
ad99e00ad	fix	simplify SSL handling for `ng serve` with SSR (#31722)

Commit	Type	Description
b671245b9	fix	improve VS Code background compilation start/end detection
85a28dec7	fix	remove `inlineSources` from library tsconfig template

Commit	Type	Description
deb4fff61	fix	add browser condition to resolver for vitest
570ce8d3e	fix	allow non-prefixed requests when using SSR and base href
4dd3c1a32	fix	conditionally manage Vitest UI option
4b8b7caec	fix	ensure tests run when compilation error is resolved
bef4fcecb	fix	remove LmdbCacheStore export from private API

Commit	Type	Description
bb54747da	fix	add leading slash to well-known non-Angular URLs
0cfe2e749	fix	propagate status code to redirect
eadadb848	fix	skip SSR processing for well-known non-Angular URLs like favicon.ico

Commit	Type	Description
778b4cffc	fix	Add custom middleware for to present an Angular-tailored message
9b02ab2ee	fix	Ensure disposal of close-javascript-transformer
0fc7d576e	fix	ensure locale base href retains leading slash (#32040)
b141670a2	fix	inject testing polyfills in Karma unit-test executor
88c18ce68	fix	support NODE_EXTRA_CA_CERTS in SSR SSL plugin

Commit	Type	Description
f8a1939fd	fix	add filename truncation to test discovery
86dd3297f	fix	allow overriding Vitest coverage `reportsDirectory` option

Commit	Type	Description
2f58705cb	fix	add missing imports for lifecycle hooks in jasmine-vitest migration
c973bb9ca	fix	add mock names to createSpyObj transformation
4534c9848	fix	do not set `esModuleInterop` and `moduleResolution` when module is `preserve`
16d898e75	fix	fix migration of `jasmine.clock().mockDate()`
21c3eac72	fix	handle createSpyObj without base name on refactor-jasmine-vitest
b8c99aa4c	fix	improve safety of done callback transformation
4a71e06fc	fix	silently skip when the build target already uses one of the new builders
2ffdae421	fix	support testRunner option in library schematic
145de4a58	fix	warn about loose matching in arrayWithExactContents

Conversation

renovate bot commented Mar 19, 2026

GitHub Vulnerability Alerts

Impact

Attack Preconditions

Patches

Workarounds

Resources

Impact

Attack Preconditions

Patches

Workarounds

References

Impact

Patches

Workarounds

References

Release Notes

Configuration

Uh oh!

netlify bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for angular-runtime-demo failed. Why did it fail? →

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

netlify bot commented Mar 19, 2026 •

edited

Loading

Commit	Type	Description
d097df2d7	fix	correct Vitest coverage path resolution for JSDOM on Windows
cdb607ada	fix	correctly configure per-browser headless mode in Vitest runner
244931ece	fix	correctly invoke `isTTY` as a function
54d542738	fix	ensure correct URL joining for prerender routes
a28b38bbe	fix	force dev-server to use HTTP/1.1 when using SSR with SSL
59ff867f0	fix	normalize `--include` paths to posix