Angular has released security patches addressing two vulnerabilities in its SSR (Server-Side Rendering) package. The first is a Server-Side Request Forgery (SSRF) and Header Injection flaw where Angular's URL reconstruction logic incorrectly trusted user-controlled HTTP headers (Host and X-Forwarded-*) without validating the destination domain. The second is an Open Redirect vulnerability via the X-Forwarded-Prefix header, where insufficient slash stripping allowed attackers to redirect users to attacker-controlled origins and potentially poison cached responses. Developers using Angular SSR in production are urged to update immediately using `ng update @angular/ssr@<patched-version>`. Workarounds including middleware-based header validation are provided for those unable to update immediately.
Table of contents
SSRF and Header Injection in Angular SSRGet Angular’s stories in your inboxWorkaroundsOpen Redirect via X-Forwarded-Prefix in Angular SSRWorkaroundsConclusionSort: