Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: angular/angular-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 747393c
Choose a base ref
...
head repository: angular/angular-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 4d9442a
Choose a head ref
  • 3 commits
  • 40 files changed
  • 2 contributors

Commits on Feb 23, 2026

  1. fix(@angular/ssr): validate host headers to prevent header-based SSRF 

    This change introduces strict validation for `Host`, `X-Forwarded-Host`, `X-Forwarded-Proto`, and `X-Forwarded-Port` headers in the Angular SSR request handling pipeline, including `CommonEngine` and `AngularAppEngine`.
    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    2a72d74 View commit details
    Browse the repository at this point in the history

  2. fix(@angular/ssr): prevent open redirect via X-Forwarded-Prefix header 

    This change addresses a security vulnerability where `joinUrlParts()` in
`packages/angular/ssr/src/utils/url.ts` only stripped one leading slash from
URL parts.

When the `X-Forwarded-Prefix` header contains multiple leading slashes (e.g.,
`///evil.com`), the function previously produced a protocol-relative URL
(e.g., `//evil.com/home`). If the application issues a redirect (e.g., via
a generic redirect route), the browser interprets this 'Location' header
as an external redirect to `https://evil.com/home`.

This vulnerability poses a significant risk as open redirects can be used in
phishing attacks. Additionally, since the redirect response may lack
`Cache-Control` headers, intermediate CDNs could cache the poisoned redirect,
serving it to other users.

This commit fixes the issue by:
1. Updating `joinUrlParts` to internally strip *all* leading and trailing slashes
   from URL segments, preventing the formation of protocol-relative URLs from
   malicious input.
2. Adding strict validation for the `X-Forwarded-Prefix` header to immediately
   reject requests with values starting with multiple slashest pusfh: (`//`) or backslashes (`\\`).

Closes #32501
    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    288e228 View commit details
    Browse the repository at this point in the history

  3. release: cut the v19.2.21 release

    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    4d9442a View commit details
    Browse the repository at this point in the history
Loading