← Back to feed
Security patch:
[HIGH] GHSA-rfh7-fxqc-q52v: @angular/platform-server: SSRF via Hostname Hijacking
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., `http://evil.com`) is passed to the
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
@angular/platform-servertypescript
View original source ↗Source payload preview
{
"ghsaId": "GHSA-rfh7-fxqc-q52v",
"summary": "@angular/platform-server: SSRF via Hostname Hijacking",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:29:53Z",
"references": [
{
"url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"
},
{
"url": "https://github.com/angular/angular/pull/68570"
},
{
"url": "https://github.com/advisories/GHSA-rfh7-fxqc-q52v"
}
],
"description": "### Impact\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points.\n\nWhen an absolute-form URL (e.g., `http://evil.com`) is passed to the rendering engine, the internal `
…