chore(deps): update dependency @angular/platform-server@>=20.0.0-next.0 <20.3.19 to v21 [security] by renovate[bot] · Pull Request #33641 · DevExpress/DevExtreme

renovate · 2026-05-19T22:05:52Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/platform-server@>=20.0.0-next.0 <20.3.19 (source)	[`^20.3.19` → `^21.2.13`](https://renovatebot.com/diffs/npm/@angular%2fplatform-server@>=20.0.0-next.0 <20.3.19/20.3.19/21.2.13)

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

@angular/platform-server: SSRF via Hostname Hijacking

CVE-2026-46417 / GHSA-rfh7-fxqc-q52v

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points.

When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname.

Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services.

Fix Information

The vulnerability is mitigated by introducing an Allowlist Mechanism directly into the core rendering APIs.
The renderModule and renderApplication functions now include an allowedHosts configuration option. The rendering engine validates the hostname extracted from the request URL against this list before proceeding. If the hostname does not match an allowed entry, the engine prevents the hostname hijacking, ensuring that HttpClient requests remain restricted to trusted domains.

Patches

22.0.0-next.12
21.2.13
20.3.21
19.2.22

Workarounds

Developers unable to update immediately should implement strict URL validation in their server entry point (e.g., server.ts). Ensure that req.url is validated against a known list of trusted hostnames or normalized to a relative path before being passed torenderApplication or renderModule.

// Example manual normalization in Express
app.get('*', (req, res, next) => {
  const trustedHost = 'localhost:4000';
  // Ensure the request target matches expectations
  if (req.headers.host !== trustedHost) {
     return res.status(403).send('Forbidden');
  }
  next();
});

Severity

CVSS Score: 8.8 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@angular/platform-server@>=20.0.0-next.0 <20.3.19)

Commit	Type	Description
629905d537	fix	add `allowedHosts` option to `renderModule` and `renderApplication`
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

Commit	Type	Description
fe13bb669d	fix	allow explicit read generic with signal input transforms
3430251fef	fix	i18n flags leaking on errors
1aeebbe304	fix	respect ngSkipHydration on components with projectable nodes in LContainers
9e38ed7d57	fix	sanitizer typings
7a05a9a71a	fix	validate security-sensitive attributes in i18n bindings
c37f6ca42f	fix	visit ng-let expression value in signal migration schematics

Commit	Type	Description
a40e2cebc8	fix	fix ordering of view queries metadata in JIT mode
885a1a1d97	fix	guard against non-object events and avoid listener wrapper identity mismatch
7a64aff9b5	fix	prevent event replay double-invocation when element hydrates before app stability

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

Commit	Type	Description
82192deda9	fix	handle missing serialized container hydration data
057cc6d09d	fix	remove obsolete iOS cursor pointer hack in event delegation

Commit	Type	Description
d04ddd73df	fix	prevent binding unsafe attributes on SVG animation elements (#67797)
8fd896e99a	fix	resolve component import by exact specifier in route lazy-loading schematic
b682c62873	fix	treat `object[data]` as resource URL context (#67797)

Commit	Type	Description
334ae10168	fix	ensure generated code compiles
23ea431c4e	fix	parse named HTML entities containing digits

Commit	Type	Description
26c43d14ba	fix	escape template literal in TCB
67e0ba7e03	fix	generic types not filled out correctly in type check block

Commit	Type	Description
1890c3008b	fix	clean up dehydrated views during HMR component replacement
bf948be4c2	fix	run linked signal equality check without reactive consumer

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their `toString()` representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

Commit	Type	Description
72534e2a34	feat	Add support for the `instanceof` binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support `AstVisitor.visitEmptyExpr()`
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
22afbb2f36	feat	add parsing support to native inputs (#66917)
95c386469c	feat	Add passing focus options to form field
95ecce8334	feat	allow setting submit options at form-level
ebae211add	feat	introduce parse errors in signal forms
3937afc316	feat	introduce SignalFormControl for Reactive Forms compatibility
30f0914754	feat	support binding null to number input (#66917)
dd208ca259	feat	update submit function to accept options object
27397b3f4f	fix	clear parse errors when model updates (#66917)
63d8005703	fix	preserve custom-control focus context in signal forms
631f60d1f9	fix	preserve parse errors when parse returns value
adfb83146b	fix	simplify design of parse errors
fb05fc86d0	fix	sort error summary by DOM order
567f292e8e	fix	support custom controls as host directives
bdfb60f3e3	fix	use consistent error format returned from parse
d75046bc09	fix	warn when showing hidden field state

Commit	Type	Description
ebc90c26f5	feat	Add completions and hover info for inline styles
26fd0839c3	feat	Add folding range support for inline styles
573aadef7e	feat	Add quick info for inline styles
6fb39d9b62	feat	Support client-side file watching via `onDidChangeWatchedFiles`

Commit	Type	Description
496967e7b1	feat	add JSON schema for angularCompilerOptions
8c21866f49	feat	add linked editing ranges for HTML tag synchronization
d2137928e8	perf	use lightweight project warmup for Angular analysis

Commit	Type	Description
b51bab583d	feat	Add partial ActivatedRouteSnapshot information to `canMatch` params
cf9620f7d0	feat	Make match options optional in isActive
907a94dcec	feat	Update `IsActiveMatchOptions` APIs to accept a Partial

Commit	Type	Description
2b99eaa019	fix	capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c	fix	Fix flakey test due to document injection

Conversation

renovate Bot commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@​angular/platform-server: SSRF via Hostname Hijacking

Details

Impact

Fix Information

Patches

Workarounds

Severity

References

Release Notes

core

platform-server

core

forms

common

compiler

core

platform-server

docs

migrations

router

core

http

platform-server

router

compiler

compiler-cli

core

language-service

compiler

compiler-cli

core

localize

router

common

compiler

core

migrations

compiler

compiler-cli

core

migrations

service-worker

compiler

core

core

compiler

compiler-cli

forms

docs

migrations

router

common

compiler

compiler-cli

core

forms

language-server

language-service

router

Breaking Changes

core

common

compiler-cli

core

compiler

core

forms

http

core

forms

localize

router

forms

language-service

router

compiler-cli

core

renovate Bot commented May 19, 2026 •

edited

Loading

@angular/platform-server: SSRF via Hostname Hijacking

Commit	Type	Description
2b254bc050	fix	`linkedSignal.update` should propagate errors
e5110b4fa1	fix	export DirectiveWithBindings
2cf4da0ea1	fix	hold constructors weakly in DepsTracker cache
70a5b651be	fix	prevent element duplication with dynamic components

Commit	Type	Description
d6268c0bbb	fix	limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7	perf	Use .bind to avoid holding other closures in memory

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch