SCA: security update for @angular/ssr (GHSA-x288-3778-4hhx)

critical Tenable Self-Hosted Container Security Plugin ID 438109

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1,
21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR
request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic
directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family
to determine the application's base origin without any validation of the destination domain. Specifically,
the framework didn't have checks for the host domain, path and character sanitization, and port
validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and
explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary
internal request steering. This can lead to credential exfiltration, internal network probing, and a
confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-
Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually
construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the
application server must be reachable by an attacker who can influence these headers without strict
validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not
sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch.
Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted
variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their
`server.ts` to enforce numeric ports and validated hostnames. (CVE-2026-27739)

See Also

https://github.com/advisories/GHSA-x288-3778-4hhx

Plugin Details

Severity: Critical

ID: 438109

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/3/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-27739

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 7.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/25/2026

Vulnerability Publication Date: 2/25/2026

Reference Information

CVE: CVE-2026-27739

cwe: CWE-918