Server-Side Request Forgery (SSRF)

@angular/ssr is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper URL resolution in the createRequestUrl function that treats paths beginning with // or \ as schema-relative URLs, which allows an attacker to override the intended base URL and force the server to...

@dl3g0/primeng (=17.17.0-20.0.3), @hmcts/ccd-case-ui-toolkit (>=7.3.49-4369 <=7.3.51) +15 more potentially affected by CVE-2025-62427 via @angular/ssr (>=20.3.18 <=20.3.26)

@angular/ssr NPM version =20.3.18, =7.3.49-4369, =4.2.4-exui-3994-f, =0.0.4, =0.3.0, =20.0.0, =0.0.0, =1.0.2, =0.0.0, =0.1.0, =0.0.8, =0.0.12 and more Source cves: CVE-2025-62427 Source advisory: OSV:GHSA-Q63Q-PGMF-MXHR...

Server-side Request Forgery (SSRF)

Overview @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createRequestUrl function. An attacker can cause the server to make arbitrary HTTP requests to external domains by supplying a...

@manniwatch/client-desktop (>=0.30.0 <=0.30.1), @manniwatch/client-ng (>=0.30.0 <=0.30.1) +2 more potentially affected by CVE-2025-62427 via @angular/ssr (>=19.0.5 <=19.2.1)

@angular/ssr NPM version =19.0.5, =0.30.0, =0.30.0, =19.0.0-alpha.20, =19.0.0-alpha.20, =19.0.0-alpha.24 Source cves: CVE-2025-62427 Source advisory: SNYK:JS-ANGULARSSR-13635722...

CVE-2025-62427 Server-Side Request Forgery (SSRF) in Angular SSR

The Angular CLI is a command-line interface tool for Angular applications. The vulnerability is a Server-Side Request Forgery SSRF flaw within the URL resolution mechanism of Angular's Server-Side Rendering package @angular/ssr before 19.2.18, 20.3.6, and 21.0.0-next.8. The function...

@adel-t/angular-ssr (>=1.0.0 <=1.0.2), @angularexpert/my-workspace (=0.0.0) +39 more potentially affected by CVE-2025-59052 via @angular/ssr (>=17.0.5 <=18.2.13)

@angular/ssr NPM version =17.0.5, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =8.0.0, =0.0.0, =0.0.2, =0.0.11 - atlassian-components-library =0.0.0 - bwiser-workspace =0.0.6 - bworkman-resume =0.0.0 and more Source cves: CVE-2025-59052 Source advisory: OSV:GHSA-68X2-MX4Q-78M7...

@manniwatch/client-desktop (>=0.30.0 <=0.30.1), @manniwatch/client-ng (>=0.30.0 <=0.30.1) +2 more potentially affected by CVE-2025-59052 via @angular/ssr (>=19.0.5 <=19.2.1)

@angular/ssr NPM version =19.0.5, =0.30.0, =0.30.0, =19.0.0-alpha.20, =19.0.0-alpha.20, =19.0.0-alpha.24 Source cves: CVE-2025-59052 Source advisory: SNYK:JS-ANGULARSSR-12613576...

Race Condition

Overview @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the bootstrapApplication, getPlatform, or destroyPlatform functions. This...

CVE-2025-59052 Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as ...

CVE-2023-28444 angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend

angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript .ts files during build time of an Angular CLI project. The...

angular-server-side-configuration 信息泄露漏洞

angular-server-side-configuration is an application. A security vulnerability exists in angular-server-side-configuration versions 15.0.0 through 15.1.0, which stems from the presence of an information disclosure vulnerability...