GHSA-xrxm-cp7j-8xf6 · Severity: high · Ecosystem: npm — @angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Conclusion & alert: CVE-2026-50168 is rated Low Risk (38.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.19%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-01 | 0.28% | 0.19% | -0.09% |
| 2 | 2026-06-23 | 0.03% | 0.28% | +0.25% |
| 3 | 2026-06-12 | — | 0.03% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 4.0 | HIGH |
|
— | — | [email protected] |
| 8.2 | 3.1 | HIGH |
|
3.9 | 4.2 | [email protected] |
GHSA-xrxm-cp7j-8xf6 · Severity: high · Ecosystem: npm — @angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-50168 not yet assigned priority: Debian including 1 source packages (angular.js), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): undetermined 5. | https://security-tracker.debian.org/tracker/CVE-2026-50168 |
ubuntu
|
medium | CVE-2026-50168 medium priority: Ubuntu including 1 source packages (angular.js), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, resolute, upstream, xenial): needs-triage 8. | https://ubuntu.com/security/CVE-2026-50168 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| angular | angular | >= 2.0.0, <= 18.2.14 | cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* |
| angular | angular | >= 19.0.0, < 19.2.23 | cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* |
| angular | angular | >= 20.0.0, < 20.3.22 | cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* |
| angular | angular | >= 21.0.0, < 21.2.15 | cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next0:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next1:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next10:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next11:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next12:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next2:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next3:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next4:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next5:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next6:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next7:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next8:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:next9:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:rc0:*:*:*:node.js:*:* |
| angular | angular | 22.0.0 | cpe:2.3:a:angular:angular:22.0.0:rc1:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://github.com/angular/angular/pull/68928 | Issue Tracking Patch |
| https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6 | Vendor Advisory |