Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73062?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73062?format=api", "purl": "pkg:npm/%40angular/ssr@21.2.0-next.0", "type": "npm", "namespace": "@angular", "name": "ssr", "version": "21.2.0-next.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "19.2.18", "latest_non_vulnerable_version": "21.2.0-rc.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22809?format=api", "vulnerability_id": "VCID-8v5d-ddg5-p3bv", "summary": "Angular SSR has an Open Redirect via X-Forwarded-Prefix\nAn Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.\n\nWhen an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`).\n\n1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch).\n2. Angular receives `///evil.com` as the prefix.\n3. It strips one slash, leaving `//evil.com`.\n4. The resulting string is used in the `Location` header.\n5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27738", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19404", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27738" }, { "reference_url": "https://github.com/angular/angular-cli", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli" }, { "reference_url": "https://github.com/angular/angular-cli/commit/f086eccc36d10cf01c426e35864bc32e1e292323", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/commit/f086eccc36d10cf01c426e35864bc32e1e292323" }, { "reference_url": "https://github.com/angular/angular-cli/issues/32501", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/issues/32501" }, { "reference_url": "https://github.com/angular/angular-cli/pull/32521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/pull/32521" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27738", "reference_id": "CVE-2026-27738", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27738" }, { "reference_url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj", "reference_id": "GHSA-xh43-g2fq-wjrj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj" }, { "reference_url": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj", "reference_id": "GHSA-xh43-g2fq-wjrj", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73063?format=api", "purl": "pkg:npm/%40angular/ssr@21.2.0-rc.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540angular/ssr@21.2.0-rc.1" } ], "aliases": [ "CVE-2026-27738", "GHSA-xh43-g2fq-wjrj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8v5d-ddg5-p3bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22762?format=api", "vulnerability_id": "VCID-fc5v-8zkb-63bt", "summary": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline\nA [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain.\n\nSpecifically, the framework didn't have checks for the following:\n- **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the \"base\" of the application to an arbitrary external domain.\n- **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.\n- **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks.\n\n\nThis vulnerability manifests in two primary ways:\n\n- **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can \"steer\" these requests to an external server or internal service.\n- **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.", "references": [ { "reference_url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27739", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19404", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27739" }, { "reference_url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF", "reference_id": "", "reference_type": "", "scores": [], "url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF" }, { "reference_url": "https://github.com/angular/angular-cli", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli" }, { "reference_url": "https://github.com/angular/angular-cli/pull/32516", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/pull/32516" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27739", "reference_id": "CVE-2026-27739", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27739" }, { "reference_url": "https://github.com/advisories/GHSA-x288-3778-4hhx", "reference_id": "GHSA-x288-3778-4hhx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x288-3778-4hhx" }, { "reference_url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx", "reference_id": "GHSA-x288-3778-4hhx", "reference_type": "", "scores": [], "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73063?format=api", "purl": "pkg:npm/%40angular/ssr@21.2.0-rc.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540angular/ssr@21.2.0-rc.1" } ], "aliases": [ "CVE-2026-27739", "GHSA-x288-3778-4hhx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fc5v-8zkb-63bt" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540angular/ssr@21.2.0-next.0" }