chore(deps): update dependency @angular/ssr to v21.1.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	21.0.0 → 21.1.5

GitHub Vulnerability Alerts

CVE-2026-27738

An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).

1. The application processes a redirect (e.g., from a router redirectTo or i18n locale switch).
2. Angular receives ///evil.com as the prefix.
3. It strips one slash, leaving //evil.com.
4. The resulting string is used in the Location header.
5. Modern browsers interpret // as a protocol-relative URL, redirecting the user from https://your-app.com to https://evil.com.

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

• Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
• SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
• Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Attack Preconditions

• The application must use Angular SSR.
• The application must have routes that perform internal redirects.
• The infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without sanitization.
• The cache must not vary on the X-Forwarded-Prefix header.

Patches

• 21.2.0-rc.1
• 21.1.5
• 20.3.17
• 19.2.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in theirserver.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix']?.trim();
  if (prefix) {
    // Sanitize by removing all leading slashes
    req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
  }
  next();
});

Resources

• Report
• Fix

CVE-2026-27739

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.

Specifically, the framework didn't have checks for the following:

• Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
• Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
• Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.

This vulnerability manifests in two primary ways:

• Implicit Relative URL Resolution: Angular's HttpClient resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service.
• Explicit Manual Construction: Developers injecting the REQUEST object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the Host / X-Forwarded-* headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.

Impact

When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:

• Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
• Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
• Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.

Attack Preconditions

• The victim application must use Angular SSR (Server-Side Rendering).
• The application must perform HttpClient requests using relative URLs OR manually construct URLs using the unvalidated Host / X-Forwarded-* headers using the REQUEST object.
• Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
• Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.

Patches

• 21.2.0-rc.1
• 21.1.5
• 20.3.17
• 19.2.21

Workarounds

• Use Absolute URLs: Avoid using req.headers for URL construction. Instead, use trusted variables for your base API paths.
• Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your server.ts to enforce numeric ports and validated hostnames.

const ALLOWED_HOSTS = new Set(['your-domain.com']);

app.use((req, res, next) => {
  const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
  const portHeader = req.headers['x-forwarded-port']?.toString();

  if (hostHeader) {
    const hostname = hostHeader.split(':')[0];
    // Reject if hostname contains path separators or is not in allowlist
    if (/^[a-z0-9.:-]+$/i.test(hostname) || 
       (!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
      return res.status(400).send('Invalid Hostname');
    }
  }

  // Ensure port is strictly numeric if provided
  if (portHeader && !/^\d+$/.test(portHeader)) {
    return res.status(400).send('Invalid Port');
  }

  next();
});

References

• Fix
• Docs

---

Release Notes

angular/angular-cli (@​angular/ssr)

v21.1.5

Compare Source

@​angular/ssr

Commit	Type	Description
8695d6063	fix	prevent open redirect via X-Forwarded-Prefix header
e4d445ec6	fix	validate host headers to prevent header-based SSRF

v21.1.4

Compare Source

@​angular/build

Commit	Type	Description
7a9dd6b47	fix	correctly resolve absolute setup file paths in Vitest

v21.1.3

Compare Source

@​schematics/angular

Commit	Type	Description
a18196a10	fix	warn when production configuration is missing for service worker

@​angular-devkit/build-angular

Commit	Type	Description
6d05d27ca	fix	address Node.js deprecation DEP0190

v21.1.2

Compare Source

@​angular-devkit/schematics-cli

Commit	Type	Description
e7458c81d	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular-devkit/architect

Commit	Type	Description
d66f1fe64	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular/build

Commit	Type	Description
80911af67	fix	loosen Vitest dependency checks when runnerConfig is used
2d30639d3	fix	support merging coverage thresholds with Vitest runnerConfig

v21.1.1

Compare Source

@​angular/cli

Commit	Type	Description
151b69587	fix	Remove nonexistent link from MCP response

@​schematics/angular

Commit	Type	Description
9da6d8fa7	fix	correct vscode MCP configuration for new projects
361758c75	fix	remove special characters from jasmine-vitest report filename

@​angular/build

Commit	Type	Description
1b7e3307a	fix	allow application assets in workspace root
d1e596dc5	fix	prevent incorrect catch binding removal in downleveled for-await
98ef0981a	fix	update undici to v7.18.2

v21.1.0

Compare Source

@​angular/cli

Commit	Type	Description
772e6efe7	feat	add 'test' and 'e2e' MCP tools
8efb86318	feat	Add "all" as an experimental tool group
c3c9ac506	feat	Add MCP tools for building and running devservers
d635a6c63	feat	add signal forms lessons
d8b76e93d	fix	correctly handle yarn classic tag manifest fetching
7ab5c0b0a	fix	correctly spawn package managers on Windows in new abstraction
348096623	fix	enhance list_projects MCP tool file system traversal and symlink handling
316fca862	fix	handle array output from npm view in manifest parser
032257a6d	fix	improve signal forms lesson examples in AI tutor
18d74dde8	fix	rename mcp devserver tools to comply with naming spec
1ad773671	fix	update dependency @​modelcontextprotocol/sdk to v1.25.2
45d4f5668	fix	update yarn berry package manager configuration
122ed27c9	fix	use project-local temporary directory in ng add
a15db28b2	perf	cache resolved specific version in package manager abstraction
240588b7e	perf	optimize ng add version discovery

@​schematics/angular

Commit	Type	Description
36cf3afb4	feat	add browserMode option to jasmine-vitest schematic
e71a72ffd	feat	generate detailed migration report for refactor-jasmine-vitest
18cf6c51b	fix	add MCP configuration file to new workspaces

@​angular/build

Commit	Type	Description
1eda0a99f	feat	directly support ng-packagr in unit-test builder
87175f9dc	feat	disable TestBed teardown during debugging in Vitest
1e39c77a4	fix	inject source-map-support for Vitest browser tests
3fd7dcd76	fix	normalize roots to POSIX in test discovery for Windows compatibility
164e7dbbc	fix	resolve test files correctly on Windows when using non-C drives
ad99e00ad	fix	simplify SSL handling for ng serve with SSR (#​31722)

v21.0.6

Compare Source

@​angular/ssr

Commit	Type	Description
730ae6609	fix	handle platform destruction during rendering

v21.0.5

Compare Source

@​angular/cli

Commit	Type	Description
249563749	fix	use narrower types for new MCP TS SDK compatibility

@​schematics/angular

Commit	Type	Description
cbd0718b9	fix	move 'provideZoneChangeDetection' to the root module
33f7cf761	fix	update application schematics for module-based apps to use 'provideZoneChangeDetection'
37b14d1f7	fix	update default app component message
c37dccb09	fix	update default app component welcome message

@​angular/build

Commit	Type	Description
2b9be3a7c	fix	ensure correct project targeting during Vitest debugging

v21.0.4

Compare Source

@​schematics/angular

Commit	Type	Description
b671245b9	fix	improve VS Code background compilation start/end detection
85a28dec7	fix	remove inlineSources from library tsconfig template

@​angular/build

Commit	Type	Description
deb4fff61	fix	add browser condition to resolver for vitest
570ce8d3e	fix	allow non-prefixed requests when using SSR and base href
4dd3c1a32	fix	conditionally manage Vitest UI option
4b8b7caec	fix	ensure tests run when compilation error is resolved
bef4fcecb	fix	remove LmdbCacheStore export from private API

@​angular/ssr

Commit	Type	Description
bb54747da	fix	add leading slash to well-known non-Angular URLs
0cfe2e749	fix	propagate status code to redirect
eadadb848	fix	skip SSR processing for well-known non-Angular URLs like favicon.ico

v21.0.3

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
5d85f416f	fix	conditionally provide Zone.js change detection in the built-in test main file

@​angular/build

Commit	Type	Description
778b4cffc	fix	Add custom middleware for to present an Angular-tailored message
9b02ab2ee	fix	Ensure disposal of close-javascript-transformer
0fc7d576e	fix	ensure locale base href retains leading slash (#​32040)
b141670a2	fix	inject testing polyfills in Karma unit-test executor
88c18ce68	fix	support NODE_EXTRA_CA_CERTS in SSR SSL plugin

v21.0.2

Compare Source

@​angular/cli

Commit	Type	Description
f1a7116cd	fix	update @modelcontextprotocol/sdk to v1.24.0

@​angular-devkit/schematics

Commit	Type	Description
dc6d9469e	fix	remove lazy imports in node tasks

@​angular/build

Commit	Type	Description
f8a1939fd	fix	add filename truncation to test discovery
86dd3297f	fix	allow overriding Vitest coverage reportsDirectory option

v21.0.1

Compare Source

@​angular/cli

Commit	Type	Description
363496ae0	fix	ensure dependencies are resolved correctly for node modules directory check

@​schematics/angular

Commit	Type	Description
2f58705cb	fix	add missing imports for lifecycle hooks in jasmine-vitest migration
c973bb9ca	fix	add mock names to createSpyObj transformation
4534c9848	fix	do not set esModuleInterop and moduleResolution when module is preserve
16d898e75	fix	fix migration of jasmine.clock().mockDate()
21c3eac72	fix	handle createSpyObj without base name on refactor-jasmine-vitest
b8c99aa4c	fix	improve safety of done callback transformation
4a71e06fc	fix	silently skip when the build target already uses one of the new builders
2ffdae421	fix	support testRunner option in library schematic
145de4a58	fix	warn about loose matching in arrayWithExactContents

@​angular/build

Commit	Type	Description
d097df2d7	fix	correct Vitest coverage path resolution for JSDOM on Windows
cdb607ada	fix	correctly configure per-browser headless mode in Vitest runner
244931ece	fix	correctly invoke isTTY as a function
54d542738	fix	ensure correct URL joining for prerender routes
a28b38bbe	fix	force dev-server to use HTTP/1.1 when using SSR with SSL
59ff867f0	fix	normalize --include paths to posix

@​angular/ssr

Commit	Type	Description
03e231216	fix	handle X-Forwarded-Prefix and APP_BASE_HREF in redirects
3cac01882	fix	prevent redirect loop with encoded query parameters

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for angular-runtime-demo failed. Why did it fail? →

Name	Link
🔨 Latest commit	a6c4c86
🔍 Latest deploy log	https://app.netlify.com/projects/angular-runtime-demo/deploys/699f8bc0a8c7fe000763123a