PT-2026-38316 · Google · @Angular/Ssr
Kimkou2024
·
Published
2026-05-06
·
Updated
2026-05-28
·
CVE-2026-44437
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Angular SSR versions 19.0.0-next.0 through 19.2.24
Angular SSR versions 20.x through 20.3.24
Angular SSR versions 21.x through 21.2.8
Angular SSR versions 22.0.0-next.0 through 22.0.0-next.6
Description
An issue exists in the processing logic of the 'X-Forwarded-Prefix' header. The internal validation mechanism does not properly account for URL-encoded characters, specifically dots (
%2e%2e), allowing attackers to bypass security filters by injecting encoded path traversal sequences. This occurs when the application is configured to trust proxy headers and is deployed behind a proxy that forwards the 'X-Forwarded-Prefix' header without sanitization.This can lead to two scenarios:
- Open Redirect: The decoded traversal payload manipulates the Location header during a redirect, forcing the browser to an unintended path or external domain.
- Server-Side Request Steering: The manipulated prefix is used as the base path for server-side
HttpClientrequests, causing the server to make requests to unintended internal paths or external endpoints.
Recommendations
Update Angular SSR to version 19.2.25.
Update Angular SSR to version 20.3.25.
Update Angular SSR to version 21.2.9.
Update Angular SSR to version 22.0.0-next.7.
As a temporary workaround, manually sanitize the 'X-Forwarded-Prefix' header in
server.ts by decoding the component to catch encoded traversal attempts before normalization.Fix
Path traversal
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Angular/Ssr