"The SSRF vulnerability found in the Angular SSR request handling pipeline exists because Angular's internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers, specifically the host and X-Forwarded-* family, to determine the application's base origin without validation of the destination domain. This vulnerability manifests through implicit relative URL resolution, explicit manual construction, and confidentiality breach."
"When exploited successfully, this SSRF vulnerability allows for arbitrary internal request steering. This can lead to the stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server. Attackers also can access and transmit data from internal services, databases, or cloud metadata endpoints not exposed to the public internet."
Google's Angular team released two security updates addressing SSR vulnerabilities. The critical vulnerability involves SSRF and header injection in Angular's URL reconstruction logic, which unsafely trusts user-controlled HTTP headers like host and X-Forwarded-* headers without validating destination domains. This flaw enables arbitrary internal request steering, allowing attackers to steal authorization headers and session cookies, access internal services and databases, and retrieve cloud metadata. The second moderate vulnerability involves open redirects via the X-Forwarded-Prefix header. Both patches are available, and developers must update SSR applications immediately to prevent exploitation and protect sensitive data.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]