CVE-2026-50168— Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50168
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-50168
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-50168
请登录查看更多情报信息。
Other References for CVE-2026-50168 (2)
Same Patch Batch · angular · 2026-06-22 · 17 CVEs total
| CVE-2026-52725 | Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (X | |
| CVE-2026-54265 | Angular: Two-Way Property Binding Sanitization Bypass (XSS) | |
| CVE-2026-54268 | Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate) | |
| CVE-2026-54266 | Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Dat | |
| CVE-2026-54264 | Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker | |
| CVE-2026-54267 | Angular Client Hydration DOM Clobbering & Response-Cache Poisoning | |
| CVE-2026-49241 | Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Cod | |
| CVE-2026-50171 | Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo) | |
| CVE-2026-50169 | Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities | |
| CVE-2026-50557 | Angular: Template and Attribute Namespace Sanitization Bypass (XSS) | |
| CVE-2026-50556 | Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scriptin | |
| CVE-2026-50555 | Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scriptin | |
| CVE-2026-50184 | Angular: Request Credential & Cache Policy Stripping in Angular Service Worker | |
| CVE-2026-50170 | Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCach | |
| CVE-2026-50178 | Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Langua | |
| CVE-2026-46417 | Angular: SSRF via Hostname Hijacking in @angular/platform-server |
IV. Related Vulnerabilities
Same product: angular
- CVE-2026-50171
Angular: Denial of Service (DoS) via OOM in Number Formattin - CVE-2026-50184
Angular: Request Credential & Cache Policy Stripping in Angu - CVE-2026-50169
Angular Service Worker Policy-Bypass & Credential-Stripping - CVE-2026-46417
Angular: SSRF via Hostname Hijacking in @angular/platform-se - CVE-2026-50170
Angular: Information Leak via Default Caching of Credentiale
Same vendor: angular
- CVE-2026-50171
Angular: Denial of Service (DoS) via OOM in Number Formattin - CVE-2026-50184
Angular: Request Credential & Cache Policy Stripping in Angu - CVE-2026-50169
Angular Service Worker Policy-Bypass & Credential-Stripping - CVE-2026-46417
Angular: SSRF via Hostname Hijacking in @angular/platform-se - CVE-2026-50170
Angular: Information Leak via Default Caching of Credentiale
Same weakness: CWE-346
- CVE-2026-46611
Glances: XML-RPC Server Missing Host Header Validation Enabl - CVE-2026-55487
pnpm: manifest identity spoof satisfies allowBuilds and runs - CVE-2026-54030
LibreChat: Missing Resource Parameter Validation in MCP OAut - CVE-2026-54069
SiYuan: Unauthenticated Admin API Access via Blanket chrome- - CVE-2026-54007
Open WebUI: Cross-origin postMessage confirmation bypass via
V. Comments for CVE-2026-50168
No comments yet