Skip to content

fix(@angular/ssr): prevent malicious URL from overriding host #31475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2025
Merged

fix(@angular/ssr): prevent malicious URL from overriding host #31475

merged 1 commit into from
Oct 15, 2025

Conversation

@alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Oct 15, 2025

A request with a specially crafted URL starting with a double slash (e.g., //example.com) could cause the server-side rendering logic to interpret the request as being for a different host. This is due to the behavior of the URL constructor when a protocol-relative URL is passed as the first argument.

This vulnerability could be exploited to make the server execute requests to a malicious domain when relative paths are used within the application (e.g., via HttpClient), potentially leading to content injection or other security risks.

The fix ensures that the request URL is always constructed as a full URL string, including the protocol and host, before being passed to the URL constructor. This prevents the host from being overridden by the path.

Closes #31464

(cherry picked from commit 619c6bc)

@alan-agius4 alan-agius4 requested a review from hybrist October 15, 2025 07:50
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Oct 15, 2025
@alan-agius4
fix(@angular/ssr): prevent malicious URL from overriding host
05f1215 
A request with a specially crafted URL starting with a double slash (e.g., `//example.com`) could cause the server-side rendering logic to interpret the request as being for a different host. This is due to the behavior of the `URL` constructor when a protocol-relative URL is passed as the first argument.

This vulnerability could be exploited to make the server execute requests to a malicious domain when relative paths are used within the application (e.g., via `HttpClient`), potentially leading to content injection or other security risks.

The fix ensures that the request URL is always constructed as a full URL string, including the protocol and host, before being passed to the `URL` constructor. This prevents the host from being overridden by the path.

Closes angular#31464

(cherry picked from commit 619c6bc)
@hybrist hybrist added action: merge The PR is ready for merge by the caretaker target: lts This PR is targeting a version currently in long-term support and removed action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Oct 15, 2025
@hybrist hybrist merged commit 9136a5d into angular:19.2.x Oct 15, 2025
30 of 31 checks passed
@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented Nov 15, 2025

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Nov 15, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@hybrist hybrist hybrist approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alan-agius4 @hybrist