Skip to content

fix(@angular/ssr): prevent malicious URL from overriding host #31474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2025
Merged

fix(@angular/ssr): prevent malicious URL from overriding host #31474

merged 1 commit into from
Oct 15, 2025

Conversation

alan-agius4
Copy link
Collaborator

A request with a specially crafted URL starting with a double slash (e.g., //example.com) could cause the server-side rendering logic to interpret the request as being for a different host. This is due to the behavior of the URL constructor when a protocol-relative URL is passed as the first argument.

This vulnerability could be exploited to make the server execute requests to a malicious domain when relative paths are used within the application (e.g., via HttpClient), potentially leading to content injection or other security risks.

The fix ensures that the request URL is always constructed as a full URL string, including the protocol and host, before being passed to the URL constructor. This prevents the host from being overridden by the path.

Closes #31464

@alan-agius4 alan-agius4 requested a review from jkrems October 15, 2025 07:49
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Oct 15, 2025
@alan-agius4
fix(@angular/ssr): prevent malicious URL from overriding host
942d76f 
A request with a specially crafted URL starting with a double slash (e.g., `//example.com`) could cause the server-side rendering logic to interpret the request as being for a different host. This is due to the behavior of the `URL` constructor when a protocol-relative URL is passed as the first argument.

This vulnerability could be exploited to make the server execute requests to a malicious domain when relative paths are used within the application (e.g., via `HttpClient`), potentially leading to content injection or other security risks.

The fix ensures that the request URL is always constructed as a full URL string, including the protocol and host, before being passed to the `URL` constructor. This prevents the host from being overridden by the path.

Closes angular#31464
josephperrott
josephperrott approved these changes Oct 15, 2025
View reviewed changes
Copy link
Member

@josephperrott josephperrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jkrems jkrems added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Oct 15, 2025
@jkrems jkrems merged commit 7be6c8f into angular:main Oct 15, 2025
32 checks passed
@jkrems
Copy link
Contributor

jkrems commented Oct 15, 2025

This PR was merged into the repository. The changes were merged into the following branches:

@alan-agius4 alan-agius4 deleted the ssr-url branch October 16, 2025 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkrems jkrems jkrems approved these changes

@josephperrott josephperrott josephperrott approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSR server side request forgery

3 participants

@alan-agius4 @jkrems @josephperrott