Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40angular/ssr@20.3.4
purl pkg:npm/%40angular/ssr@20.3.4
Next non-vulnerable version 19.2.25
Latest non-vulnerable version 22.0.0-next.7
Risk
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-c849-wwtp-vkhz
Aliases:
CVE-2026-27739
GHSA-x288-3778-4hhx
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: - **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain. - **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs. - **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks. This vulnerability manifests in two primary ways: - **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.
20.3.17
Affected by 2 other vulnerabilities.
21.1.5
Affected by 2 other vulnerabilities.
21.2.0-rc.1
Affected by 2 other vulnerabilities.
VCID-g957-mzhx-4fgx
Aliases:
CVE-2026-33397
GHSA-vfx2-hv2g-xj5f
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header: - An attacker provides a value starting with a single backslash (e.g., `\evil.com`). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a `Location` header containing `/\evil.com`. - Modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). ### Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking: - **Scale**: A single request can poison a high-traffic route, impacting all users until the cache expires. - **SEO Poisoning**: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - **Trust**: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious. ### Patches - 22.0.0-next.2 - 21.2.3 - 20.3.21 ### Workarounds Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request: ```ts app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/'); } next(); }); ``` ### References - Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738
20.3.21
Affected by 1 other vulnerability.
21.2.3
Affected by 1 other vulnerability.
22.0.0-next.2
Affected by 1 other vulnerability.
VCID-j1ye-vncb-e7bg
Aliases:
CVE-2025-62427
GHSA-q63q-pgmf-mxhr
Angular SSR has a Server-Side Request Forgery (SSRF) flaw The vulnerability is a **Server-Side Request Forgery (SSRF)** flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (`@angular/ssr`). The function `createRequestUrl` uses the native `URL` constructor. When an incoming request path (e.g., `originalUrl` or `url`) begins with a **double forward slash (`//`) or backslash (`\\`)**, the `URL` constructor treats it as a **schema-relative URL**. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via `DOCUMENT` or `PlatformLocation` tokens) to this attacker-controlled domain. Any subsequent **relative HTTP requests** made during the SSR process (e.g., using `HttpClient.get('assets/data.json')`) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.
20.3.6
Affected by 4 other vulnerabilities.
21.0.0-next.8
Affected by 4 other vulnerabilities.
VCID-rrgg-e912-dqhr
Aliases:
CVE-2026-44437
GHSA-69xr-m8h6-h664
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix ### Description A vulnerability exists in the `X-Forwarded-Prefix` header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (`%2e%2e`). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the `X-Forwarded-Prefix` header without prior sanitization, an attacker can provide a payload such as `/%2e%2e/evil`. The vulnerability manifests in two ways: - Open Redirect: The application processes a redirect (e.g., router `redirectTo`). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain. - Server-Side Request Steering: The manipulated prefix is used as the base path for server-side `HttpClient` requests. This causes the server to make requests to unintended internal paths or external endpoints. ### Attack Preconditions - The application must use Angular SSR. - The application must perform internal redirects or use relative URLs in server-side `HttpClient` requests. - The upstream infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without stripping or sanitizing it. ### Workarounds Until the patch is applied, developers should manually sanitize the `X-Forwarded-Prefix` header in their `server.ts`. The workaround involves decoding the component to catch encoded traversal attempts before normalization: ```ts app.use((req, res, next) => { let prefix = req.headers['x-forwarded-prefix']; if (Array.isArray(prefix)) prefix = prefix[0]; if (prefix) { try { // Decode the prefix to catch encoded characters like %2e (dots) const decodedPrefix = decodeURIComponent(prefix); // Sanitize: remove traversal attempts and ensure a safe leading slash req.headers['x-forwarded-prefix'] = decodedPrefix .replace(/\.\./g, '') // Remove any dot-dot sequences .replace(/^[/\\]+/, '/'); // Ensure it starts with exactly one slash } catch (e) { // If decoding fails, remove the potentially malicious header entirely delete req.headers['x-forwarded-prefix']; } } next(); }); ``` ### Configuring Trusted Proxy Headers By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them. You can configure trustProxyHeaders when initializing the application engine: ```ts const appEngine = new AngularAppEngine({ // Trust specific headers trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'], }); const nodeAppEngine = new AngularNodeAppEngine({ // Trust all X-Forwarded-* headers trustProxyHeaders: true, }); ``` ### Patches - 22.0.0-next.7 - 21.2.9 - 20.3.25 - 19.2.25 ### Resources - https://github.com/angular/angular-cli/pull/33031 - https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
20.3.25
Affected by 0 other vulnerabilities.
21.2.9
Affected by 0 other vulnerabilities.
22.0.0-next.7
Affected by 0 other vulnerabilities.
VCID-twgz-ju7a-8yg9
Aliases:
CVE-2026-27738
GHSA-xh43-g2fq-wjrj
Angular SSR has an Open Redirect via X-Forwarded-Prefix An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`). 1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch). 2. Angular receives `///evil.com` as the prefix. 3. It strips one slash, leaving `//evil.com`. 4. The resulting string is used in the `Location` header. 5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.
20.3.17
Affected by 2 other vulnerabilities.
21.1.5
Affected by 2 other vulnerabilities.
21.2.0-rc.1
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T08:27:54.868963+00:00 GitLab Importer Affected by VCID-rrgg-e912-dqhr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-44437.yml 38.6.0
2026-06-06T07:31:01.849512+00:00 GitLab Importer Affected by VCID-g957-mzhx-4fgx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-33397.yml 38.6.0
2026-06-06T07:04:55.305310+00:00 GitLab Importer Affected by VCID-twgz-ju7a-8yg9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27738.yml 38.6.0
2026-06-06T07:04:04.195067+00:00 GitLab Importer Affected by VCID-c849-wwtp-vkhz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27739.yml 38.6.0
2026-06-06T06:15:32.653039+00:00 GitLab Importer Affected by VCID-j1ye-vncb-e7bg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2025-62427.yml 38.6.0