Description
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request.
Published: 2026-02-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing and SEO hijacking
Action: Apply Patch
AI Analysis

Impact

An open redirect flaw exists in Angular SSR’s URL processing logic. The code removes only a single leading slash from URL segments, allowing an attacker to send a value that starts with three slashes via the X‑Forwarded‑Prefix header when the application runs behind a proxy. The result is that internal routing can redirect users to arbitrary sites, facilitating large‑scale phishing or search‑engine hijacking. This is a classic CWE‑601 vulnerability with a CVSS score of 6.9, indicating a moderate severity.

Affected Systems

The weakness affects Angular CLI projects on the 19.x branch before version 19.2.21, the 20.x branch before version 20.3.17, and the 21.x branch before 21.1.5 and 21.2.0‑rc.1. Any deployment that processes the X‑Forwarded‑Prefix header without sanitization and whose cache does not vary on that header is vulnerable.

Risk and Exploitability

The exploitation probability is very low, with the risk metric indicating less than a 1% likelihood of exploitation. The vulnerability is not identified in CISA’s catalog of known exploited vulnerabilities. The most likely attack vector is remote, with an adversary able to influence the X‑Forwarded‑Prefix header through a compromised or malicious reverse proxy or CDN. While the chance of exploitation remains modest, the potential impact on user safety and brand reputation remains significant.

Generated by OpenCVE AI on April 18, 2026 at 10:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Angular CLI to a patched release (19.2.21, 20.3.17, 21.1.5, or later 21.2.0‑rc.1).
  • If an update cannot be applied immediately, sanitize the X‑Forwarded‑Prefix header in server.ts before the Angular engine processes the request.
  • Ensure that the application’s caching layer varies on the X‑Forwarded‑Prefix header to prevent cached redirects from affecting other requests.

Generated by OpenCVE AI on April 18, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh43-g2fq-wjrj Angular SSR has an Open Redirect via X-Forwarded-Prefix
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request.
Title Angular SSR has an Open Redirect via X-Forwarded-Prefix
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Angular Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:46:26.917Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27738

cve-icon Vulnrichment

Updated: 2026-02-27T20:46:02.667Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T17:25:40.463

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses