Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 047dff880504 · 2026-04-16T22:38:46.000Z
GHSA-45q2-gjvg-7973 GHSA-jj8c-mmj3-mmgv
diff --git a/advisories/github-reviewed/2026/04/GHSA-45q2-gjvg-7973/GHSA-45q2-gjvg-7973.json b/advisories/github-reviewed/2026/04/GHSA-45q2-gjvg-7973/GHSA-45q2-gjvg-7973.json
@@ -0,0 +1,135 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-45q2-gjvg-7973",
+  "modified": "2026-04-16T22:36:01Z",
+  "published": "2026-04-16T22:36:01Z",
+  "aliases": [],
+  "summary": "Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server",
+  "details": "### Impact\n\nA [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability exists in `@angular/platform-server` due to improper handling of URLs during Server-Side Rendering (SSR).\n\nWhen an attacker sends a request such as `GET /\\evil.com/ HTTP/1.1` the server engine (Express, etc.) passes the URL string to Angular’s rendering functions.\n\nBecause the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is `evil.com`. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative `HttpClient` requests or `PlatformLocation.hostname` references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services.\n\n**Affected APIs:**\n- `renderModule`\n- `renderApplication`\n- `CommonEngine` (from `@angular/ssr`)\n\n**Non-Affected APIs:**\n- `AngularAppEngine` (from `@angular/ssr`)\n- `AngularNodeAppEngine` (from `@angular/ssr`)\n\n### Attack Preconditions\n- The server has outbound network access.\n- The application uses Angular SSR via the affected APIs.\n- A pathname is passed as URL to the rendering method  (e.g. using `req.url`).\n- The server-side code performs HTTP requests using `HttpClient` with relative URLs or uses `PlatformLocation.hostname` to build URLs. \n\n\n### Patches\n- 22.0.0-next.8\n- 21.2.9\n- 20.3.19\n- 19.2.21\n\n### Workarounds\nDevelopers should implement a middleware to sanitize the request URL before it reaches Angular. This involves stripping or normalizing leading slashes:\n\n```js\napp.use((req, res, next) => {\n  // Sanitize the URL to ensure it starts with a single forward slash\n  if (req.url.startsWith('//') || req.url.startsWith('/\\\\') || req.url.startsWith('\\\\')) {\n     req.url = '/' + req.url.replace(/^[/\\\\]+/, '');\n  }\n  next();\n});\n\n```\n### References\n- [Fix](https://github.com/angular/angular/pull/68194)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/platform-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "22.0.0-next.0"
+            },
+            {
+              "fixed": "22.0.0-next.8"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/platform-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "21.0.0-next.0"
+            },
+            {
+              "fixed": "21.2.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/platform-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "20.0.0-next.0"
+            },
+            {
+              "fixed": "20.3.19"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/platform-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "19.0.0-next.0"
+            },
+            {
+              "fixed": "19.2.21"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/platform-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "18.2.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/pull/68194"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/angular/angular"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:36:01Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-jj8c-mmj3-mmgv/GHSA-jj8c-mmj3-mmgv.json b/advisories/github-reviewed/2026/04/GHSA-jj8c-mmj3-mmgv/GHSA-jj8c-mmj3-mmgv.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jj8c-mmj3-mmgv",
+  "modified": "2026-04-16T22:38:03Z",
+  "published": "2026-04-16T22:38:03Z",
+  "aliases": [],
+  "summary": "Authlib: Cross-site request forging when using cache",
+  "details": "### Summary\n\nThere is no CSRF protection on the cache feature on most integrations clients.\n\n### Details\nIn `authlib.integrations.starlette_client.OAuth`, no CSRF protection is set up when using the cache parameter. When _not_ using the cache parameter, the use of SessionMiddleware ties the client to the auth state, preventing CSRF attacks. With the cache, there is no such mechanism. Other integratons have the same issue, it's not just starlette.\n\nThe state parameter is taken from the callback URL and the state is fetched from the cache without checking that it is the same client calling the redirect endpoint as was the one that initiated the auth flow.\n\nThis issue is documented in RFC 6749 section 10.12:\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-10.12\n\n### PoC\n- Set up a Starlette integration with a cache\n- The attacker starts the auth flow up until before the callback URL is followed.\n- The attacked sends the redirect URL to the victim\n- The victim now completes the authorisation\n\n### Impact\nThis impacts all users that use the cache to store auth state.\n\nAll users will be vulnerable to CSRF attacks and may have an attacker's account tied to their own. In our specific scenario, this allowed attackers to push invoices into a victim's account, ready to be paid. Very serious.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "authlib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.6.11"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/authlib/authlib"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:38:03Z",
+    "nvd_published_at": null
+  }
+}
