VulnerableCode Package Details - pkg:npm/%40angular/ssr@20.3.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-8v5d-ddg5-p3bv Aliases: CVE-2026-27738 GHSA-xh43-g2fq-wjrj	Angular SSR has an Open Redirect via X-Forwarded-Prefix An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`). 1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch). 2. Angular receives `///evil.com` as the prefix. 3. It strips one slash, leaving `//evil.com`. 4. The resulting string is used in the `Location` header. 5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.	20.3.17 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 21.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 21.2.0-rc.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fc5v-8zkb-63bt Aliases: CVE-2026-27739 GHSA-x288-3778-4hhx	Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: - Host Domain: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain. - Path & Character Sanitization: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs. - Port Validation: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks. This vulnerability manifests in two primary ways: - Implicit Relative URL Resolution: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - Explicit Manual Construction: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.	20.3.17 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 21.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 21.2.0-rc.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ucvz-8p8a-k7h4 Aliases: CVE-2026-33397 GHSA-vfx2-hv2g-xj5f		20.3.21 Affected by 0 other vulnerabilities. 21.2.3 Affected by 0 other vulnerabilities. 22.0.0-next.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8v5d-ddg5-p3bv
Aliases:
CVE-2026-27738
GHSA-xh43-g2fq-wjrj

Angular SSR has an Open Redirect via X-Forwarded-Prefix An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`). 1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch). 2. Angular receives `///evil.com` as the prefix. 3. It strips one slash, leaving `//evil.com`. 4. The resulting string is used in the `Location` header. 5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`.

20.3.17
Affected by 1 other vulnerability.

21.1.5
Affected by 1 other vulnerability.

21.2.0-rc.1
Affected by 1 other vulnerability.

VCID-fc5v-8zkb-63bt
Aliases:
CVE-2026-27739
GHSA-x288-3778-4hhx

Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: - **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain. - **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs. - **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks. This vulnerability manifests in two primary ways: - **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.

20.3.17
Affected by 1 other vulnerability.

21.1.5
Affected by 1 other vulnerability.

21.2.0-rc.1
Affected by 1 other vulnerability.

VCID-ucvz-8p8a-k7h4
Aliases:
CVE-2026-33397
GHSA-vfx2-hv2g-xj5f

20.3.21
Affected by 0 other vulnerabilities.

21.2.3
Affected by 0 other vulnerabilities.

22.0.0-next.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:10:43.610976+00:00	GitLab Importer	Affected by	VCID-ucvz-8p8a-k7h4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-33397.yml	38.6.0
2026-06-01T09:47:18.678595+00:00	GitLab Importer	Affected by	VCID-8v5d-ddg5-p3bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27738.yml	38.6.0
2026-06-01T09:46:45.730758+00:00	GitLab Importer	Affected by	VCID-fc5v-8zkb-63bt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/ssr/CVE-2026-27739.yml	38.6.0