Venkatkwest

**Name of the Vulnerable Software and Affected Versions** Angular SSR versions 19.x through 19.2.20 Angular SSR versions 20.x through 20.3.16 Angular SSR versions 21.x through 21.1.4 Angular SSR version 21.2.0-rc.0 **Description** An Open Redirect issue exists in the internal URL processing logic of Angular SSR. The application normalizes URL segments by removing leading slashes, but only a single slash is removed. If an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header without sanitization, an attacker can provide a value starting with three slashes (e.g., `///evil.com`). This can lead to a redirect to a malicious domain, potentially enabling large-scale phishing and SEO hijacking. The vulnerability requires the application to use Angular SSR, have routes that perform internal redirects, and the infrastructure must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization. The cache must also not vary on the `X-Forwarded-Prefix` header. The issue occurs because modern browsers interpret `//` as a protocol-relative URL, redirecting the user from the legitimate site to the attacker-controlled domain. **Recommendations** Angular SSR versions prior to 19.2.21 should be updated. Angular SSR versions prior to 20.3.17 should be updated. Angular SSR versions prior to 21.1.5 should be updated. Angular SSR version 21.2.0-rc.0 should be updated. As a temporary workaround, sanitize the `X-Forwarded-Prefix` header in the `server.ts` file before the Angular engine processes the request by removing all leading slashes. For example: ```ts app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']?.trim(); if (prefix) { // Sanitize by removing all leading slashes req.headers['x-forwarded-prefix'] = prefix.replace(/^[/]+/, '/'); } next(); }); ```

**Name of the Vulnerable Software and Affected Versions** Angular versions prior to 22.0.0-next.2 Angular versions prior to 21.2.3 Angular versions prior to 20.3.21 **Description** An Open Redirect issue exists in the Angular SSR tool due to an incomplete fix for a previously identified problem. The internal validation logic does not properly handle a single backslash (``) in the `X-Forwarded-Prefix` header, allowing attackers to bypass security measures. When deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with a single backslash. The application then prepends a forward slash, resulting in a `Location` header that browsers interpret as a protocol-relative URL, redirecting users to an attacker-controlled domain. The absence of the `Vary: X-Forwarded-Prefix` header in the response allows malicious redirects to be cached, potentially leading to Web Cache Poisoning. This could enable attackers to conduct phishing attacks and SEO hijacking, impacting a large number of users and potentially causing search engines to index malicious redirects. The vulnerability affects applications using the `@angular/ssr` package. The `X-Forwarded-Prefix` header is used to determine the base URL for the application. **Recommendations** Versions prior to 22.0.0-next.2: Apply the patch by updating to version 22.0.0-next.2 or later. Versions prior to 21.2.3: Apply the patch by updating to version 21.2.3 or later. Versions prior to 20.3.21: Apply the patch by updating to version 20.3.21 or later. As a temporary workaround, sanitize the `X-Forwarded-Prefix` header in your `server.ts` file before the Angular engine processes the request by removing all leading forward and backward slashes.