Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Angular Server-Side Rendering allows attackers to redirect users to malicious sites
GHSA-xh43-g2fq-wjrj
CVE-2026-27738
Summary
A security flaw in Angular's server-side rendering (SSR) can allow attackers to trick users into visiting malicious websites. This can happen when an attacker sends a specific URL with extra slashes to the server, which can then be redirected to the malicious site. To protect against this, ensure your Angular SSR application is properly configured and update any affected routes to prevent internal redirects from being exploited.
What to do
- Update angular ssr to version 21.2.0-rc.1.
- Update angular ssr to version 21.1.5.
- Update angular ssr to version 20.3.17.
- Update angular ssr to version 19.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| angular | ssr | > 21.2.0-next.0 , <= 21.2.0-rc.0 | 21.2.0-rc.1 |
| angular | ssr | > 21.0.0-next.0 , <= 21.1.5 | 21.1.5 |
| angular | ssr | > 20.0.0-next.0 , <= 20.3.17 | 20.3.17 |
| angular | ssr | > 19.0.0-next.0 , <= 19.2.21 | 19.2.21 |
Original title
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Original description
An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.
When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`).
1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch).
2. Angular receives `///evil.com` as the prefix.
3. It strips one slash, leaving `//evil.com`.
4. The resulting string is used in the `Location` header.
5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.
### Impact
This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:
- **Scale:** A single request can poison a high-traffic route, impacting all users until the cache expires.
- **SEO Poisoning:** Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
- **Trust:** Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.
### Attack Preconditions
- The application must use Angular SSR.
- The application must have routes that perform internal redirects.
- The infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization.
- The cache must not vary on the `X-Forwarded-Prefix` header.
### Patches
- 21.2.0-rc.1
- 21.1.5
- 20.3.17
- 19.2.21
### Workarounds
Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request:
```ts
app.use((req, res, next) => {
const prefix = req.headers['x-forwarded-prefix']?.trim();
if (prefix) {
// Sanitize by removing all leading slashes
req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
}
next();
});
```
### Resources
- [Report](https://github.com/angular/angular-cli/issues/32501)
- [Fix](https://github.com/angular/angular-cli/pull/32521)
When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`).
1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch).
2. Angular receives `///evil.com` as the prefix.
3. It strips one slash, leaving `//evil.com`.
4. The resulting string is used in the `Location` header.
5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.
### Impact
This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:
- **Scale:** A single request can poison a high-traffic route, impacting all users until the cache expires.
- **SEO Poisoning:** Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
- **Trust:** Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.
### Attack Preconditions
- The application must use Angular SSR.
- The application must have routes that perform internal redirects.
- The infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization.
- The cache must not vary on the `X-Forwarded-Prefix` header.
### Patches
- 21.2.0-rc.1
- 21.1.5
- 20.3.17
- 19.2.21
### Workarounds
Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request:
```ts
app.use((req, res, next) => {
const prefix = req.headers['x-forwarded-prefix']?.trim();
if (prefix) {
// Sanitize by removing all leading slashes
req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
}
next();
});
```
### Resources
- [Report](https://github.com/angular/angular-cli/issues/32501)
- [Fix](https://github.com/angular/angular-cli/pull/32521)
ghsa CVSS4.0
6.9
Vulnerability type
CWE-601
Open Redirect
- https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj
- https://nvd.nist.gov/vuln/detail/CVE-2026-27738
- https://github.com/angular/angular-cli/issues/32501
- https://github.com/angular/angular-cli/pull/32521
- https://github.com/angular/angular-cli/commit/f086eccc36d10cf01c426e35864bc32e1e...
- https://github.com/advisories/GHSA-xh43-g2fq-wjrj
- https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9...
Published: 25 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026