Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/%40angular/ssr@21.2.0-next.0 |
|---|
| Type | npm |
|---|
| Namespace | @angular |
|---|
| Name | ssr |
|---|
| Version | 21.2.0-next.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 21.2.0-rc.1 |
|---|
| Latest_non_vulnerable_version | 21.2.0-rc.1 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-8v5d-ddg5-p3bv |
| vulnerability_id |
VCID-8v5d-ddg5-p3bv |
| summary |
Angular SSR has an Open Redirect via X-Forwarded-Prefix
An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.
When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes (e.g., `///evil.com`).
1. The application processes a redirect (e.g., from a router `redirectTo` or i18n locale switch).
2. Angular receives `///evil.com` as the prefix.
3. It strips one slash, leaving `//evil.com`.
4. The resulting string is used in the `Location` header.
5. Modern browsers interpret `//` as a protocol-relative URL, redirecting the user from `https://your-app.com` to `https://evil.com`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-27738, GHSA-xh43-g2fq-wjrj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8v5d-ddg5-p3bv |
|
| 1 |
| url |
VCID-fc5v-8zkb-63bt |
| vulnerability_id |
VCID-fc5v-8zkb-63bt |
| summary |
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain.
Specifically, the framework didn't have checks for the following:
- **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
- **Path & Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
- **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks.
This vulnerability manifests in two primary ways:
- **Implicit Relative URL Resolution**: Angular's `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service.
- **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-27739, GHSA-x288-3778-4hhx
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fc5v-8zkb-63bt |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 4.5 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/%2540angular/ssr@21.2.0-next.0 |
|---|