Fix @angular/ssr CVE-2026-27739 — SSRF via Unvalidated Headers

Updated April 10, 2026 · CRITICAL · CVSS 9.2 · GHSA-x288-3778-4hhx

CVE-2026-27739 is a Server-Side Request Forgery (SSRF) vulnerability in Angular's SSR engine. The createRequestUrl() function trusts Host and X-Forwarded-Host headers without validation — an attacker who controls those headers turns your SSR server into an open proxy. Angular 18 and below have no patch.

Affected versions

@angular/ssr	All versions below 19.2.21
@angular/ssr 20.x	Below 20.3.17
@angular/ssr 21.x	Below 21.1.5
@nguniversal/* (Angular 16 and below)	No patch — EOL

Fix — update @angular/ssr

Fix

# Angular 19 users
npm install @angular/ssr@19.2.21

# Angular 20 users
npm install @angular/ssr@20.3.17

# Angular 21 users
npm install @angular/ssr@21.1.5

# Verify
npm list @angular/ssr

Workaround for Angular 18 and below (no patch available)

Add header validation middleware in server.ts before Angular SSR handles requests:

// server.ts
const ALLOWED_HOSTS = new Set(['your-domain.com', 'www.your-domain.com']);

app.use((req, res, next) => {
  const host = (req.headers['x-forwarded-host'] ?? req.headers['host'] ?? '').toString();
  const hostname = host.split(':')[0];
  if (!ALLOWED_HOSTS.has(hostname)) {
    delete req.headers['x-forwarded-host'];
    delete req.headers['x-forwarded-port'];
  }
  next();
});

Root cause — createRequestUrl()

The vulnerability is in packages/angular/ssr/node/src/request.ts. The createRequestUrl() function reads host and x-forwarded-host headers to build the base URL for SSR rendering. Before the patch, no domain validation existed. An attacker sets X-Forwarded-Host: evil.com — all relative HttpClient calls in your SSR app now resolve against evil.com, forwarding Authorization headers and cookies.

Cloud metadata risk

AWS / GCP risk

If your Angular SSR app runs on EC2 or GCP, an attacker can set X-Forwarded-Host: 169.254.169.254. Your SSR server makes requests to the cloud metadata endpoint, returning IAM credentials and instance metadata to the attacker. This escalates SSRF to full cloud account compromise.

Check if your project uses a vulnerable @angular/ssr version.

Scan with PackageFix →

Free · No signup · Paste package.json

Common questions

Is Angular 18 getting a patch for CVE-2026-27739?

No. Angular 18 reached end of life in early 2026. The Angular open source community will not release a patch for EOL versions. If you are on Angular 18, your options are: upgrade to Angular 19.2.21+, implement the header validation middleware workaround, or use a WAF to strip X-Forwarded-Host headers at the edge.

Does this affect Angular apps that don't use SSR?

No. CVE-2026-27739 is exclusively in @angular/ssr (and the legacy @nguniversal packages). Client-side-only Angular apps are not affected. The vulnerability is in how the SSR engine reconstructs URLs from HTTP headers on the server.

What is the header validation middleware workaround?

Add middleware in server.ts to validate Host and X-Forwarded-Host headers against an allowlist of trusted domains before they reach Angular SSR. This blocks the attack vector without requiring an immediate version upgrade. See the Angular security advisory for the exact middleware code.

Does this affect Vercel, Netlify, or similar platforms?

It depends on whether your platform strips or validates X-Forwarded-Host headers before passing them to your Angular SSR app. Some CDNs set their own trusted X-Forwarded-Host values. Check your platform documentation and test with a crafted header to verify.

What is the cloud metadata risk?

If your Angular SSR app runs on AWS EC2 or GCP, an attacker who sets X-Forwarded-Host to 169.254.169.254 could cause your SSR server to make requests to the cloud metadata endpoint. This can expose IAM credentials and instance metadata. This is the most severe exploitation path.

Vulnerability data sourced from the OSV database and public package registries. Always test dependency updates in a staging environment before deploying to production. PackageFix provides these tools for informational purposes only and cannot guarantee that pinned versions are free from undiscovered vulnerabilities.