CVE-2026-27738

Name of the Vulnerable Software and Affected Versions Angular SSR versions 19.x through 19.2.20 Angular SSR versions 20.x through 20.3.16 Angular SSR versions 21.x through 21.1.4 Angular SSR version 21.2.0-rc.0

Description An Open Redirect issue exists in the internal URL processing logic of Angular SSR. The application normalizes URL segments by removing leading slashes, but only a single slash is removed. If an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header without sanitization, an attacker can provide a value starting with three slashes (e.g., ///evil.com). This can lead to a redirect to a malicious domain, potentially enabling large-scale phishing and SEO hijacking. The vulnerability requires the application to use Angular SSR, have routes that perform internal redirects, and the infrastructure must pass the X-Forwarded-Prefix header to the SSR process without sanitization. The cache must also not vary on the X-Forwarded-Prefix header. The issue occurs because modern browsers interpret // as a protocol-relative URL, redirecting the user from the legitimate site to the attacker-controlled domain.

Recommendations Angular SSR versions prior to 19.2.21 should be updated. Angular SSR versions prior to 20.3.17 should be updated. Angular SSR versions prior to 21.1.5 should be updated. Angular SSR version 21.2.0-rc.0 should be updated. As a temporary workaround, sanitize the X-Forwarded-Prefix header in the server.ts file before the Angular engine processes the request by removing all leading slashes. For example:

app.use((req, res, next) => {
 const prefix = req.headers['x-forwarded-prefix']?.trim();
 if (prefix) {
  // Sanitize by removing all leading slashes
  req.headers['x-forwarded-prefix'] = prefix.replace(/^[/]+/, '/');
 }
 next();
});