Description
The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.
When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the X-Forwarded-Prefix header handling of Angular Server‑Side Rendering allows an attacker to inject percent‑encoded ".." sequences that are decoded during routing, resulting in path traversal and open redirect behavior. The vulnerability is due to missing validation of encoded characters in the header, meaning that malicious payloads such as "/%2e%2e/evil" can steer the application to arbitrary internal paths or externally controlled URLs. The impact spans confidentiality, integrity, and availability where a user is redirected to unintended destinations or the application state is manipulated without authorization.

Affected Systems

Affected versions of angular-cli are 19.0.0‑next.0 through 19.2.24, and the released versions 20.3.25, 21.2.9, and 22.0.0‑next.7 contain the fix. Any deployment of Angular SSR that trusts proxy headers and is behind a proxy that forwards X‑Forwarded‑Prefix without sanitization is vulnerable. The issue does not affect earlier releases predating Angular CLI 19.0.0‑next.0.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as a medium severity vulnerability. Because EPSS data is not available, the current exploit probability is uncertain, but the known ability to drive arbitrary redirects and steering suggests a non‑negligible risk in environments that rely on trusted proxy headers. The vulnerability is not listed in the CISA KEV catalog; however, exploiting it requires the capability to inject or control the X‑Forwarded‑Prefix header, which typically means compromising the proxy or having direct access to the SSR endpoint. The attacker can then manipulate request routing for malicious purposes such as phishing, credential harvesting, or denial of service.

Generated by OpenCVE AI on May 13, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade angular-cli to at least 19.2.25, 20.3.25, 21.2.9, or 22.0.0‑next.7 where the X‑Forwarded‑Prefix validation is fixed
  • Disable the "trust proxy" configuration or remove the X‑Forwarded‑Prefix header handling if it is not required for your deployment
  • Ensure that any upstream proxy or load balancer sanitizes or removes X‑Forwarded‑Prefix headers before forwarding them to the Angular SSR application

Generated by OpenCVE AI on May 13, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69xr-m8h6-h664 Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next6:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular Cli
Vendors & Products Angular
Angular angular Cli

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.
Title Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
Weaknesses CWE-22
CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Angular Angular Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T13:35:18.562Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44437

cve-icon Vulnrichment

Updated: 2026-05-14T13:35:12.871Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:44.710

Modified: 2026-05-28T17:45:36.717

Link: CVE-2026-44437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:00:07Z

Weaknesses