npm package

@angular/ssr

pkg:npm/%40angular/ssr

Vulnerabilities (6)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44437	Med	—	>= 22.0.0-next.0, < 22.0.0-next.7	22.0.0-next.7	May 13, 2026	The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails
CVE-2026-33397	Med	6.1	>= 22.0.0-next.0, < 22.0.0-next.2	22.0.0-next.2	Mar 26, 2026	The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for C
CVE-2026-27739	Cri	—	>= 21.2.0-next.0, < 21.2.0-rc.1	21.2.0-rc.1	Feb 25, 2026	The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s i
CVE-2026-27738	Med	—	>= 21.2.0-next.0, < 21.2.0-rc.1	21.2.0-rc.1	Feb 25, 2026	The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-r
CVE-2025-62427	Hig	—	>= 19.0.0-next.0, < 19.2.18	19.2.18	Oct 16, 2025	The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The fu
CVE-2025-59052	Hig	—	>= 17.0.0-next.0, < 18.2.21	18.2.21	Sep 10, 2025	Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the conta

CVE-2026-44437MedMay 13, 2026
affected >= 22.0.0-next.0, < 22.0.0-next.7fixed 22.0.0-next.7
The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails
CVE-2026-33397MedMar 26, 2026
affected >= 22.0.0-next.0, < 22.0.0-next.2fixed 22.0.0-next.2
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for C
CVE-2026-27739CriFeb 25, 2026
affected >= 21.2.0-next.0, < 21.2.0-rc.1fixed 21.2.0-rc.1
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s i
CVE-2026-27738MedFeb 25, 2026
affected >= 21.2.0-next.0, < 21.2.0-rc.1fixed 21.2.0-rc.1
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-r
CVE-2025-62427HigOct 16, 2025
affected >= 19.0.0-next.0, < 19.2.18fixed 19.2.18
The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The fu
CVE-2025-59052HigSep 10, 2025
affected >= 17.0.0-next.0, < 18.2.21fixed 18.2.21
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the conta