Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rrgg-e912-dqhr
Vulnerability ID VCID-rrgg-e912-dqhr
Aliases CVE-2026-44437
GHSA-69xr-m8h6-h664
Summary Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix ### Description A vulnerability exists in the `X-Forwarded-Prefix` header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (`%2e%2e`). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the `X-Forwarded-Prefix` header without prior sanitization, an attacker can provide a payload such as `/%2e%2e/evil`. The vulnerability manifests in two ways: - Open Redirect: The application processes a redirect (e.g., router `redirectTo`). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain. - Server-Side Request Steering: The manipulated prefix is used as the base path for server-side `HttpClient` requests. This causes the server to make requests to unintended internal paths or external endpoints. ### Attack Preconditions - The application must use Angular SSR. - The application must perform internal redirects or use relative URLs in server-side `HttpClient` requests. - The upstream infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without stripping or sanitizing it. ### Workarounds Until the patch is applied, developers should manually sanitize the `X-Forwarded-Prefix` header in their `server.ts`. The workaround involves decoding the component to catch encoded traversal attempts before normalization: ```ts app.use((req, res, next) => { let prefix = req.headers['x-forwarded-prefix']; if (Array.isArray(prefix)) prefix = prefix[0]; if (prefix) { try { // Decode the prefix to catch encoded characters like %2e (dots) const decodedPrefix = decodeURIComponent(prefix); // Sanitize: remove traversal attempts and ensure a safe leading slash req.headers['x-forwarded-prefix'] = decodedPrefix .replace(/\.\./g, '') // Remove any dot-dot sequences .replace(/^[/\\]+/, '/'); // Ensure it starts with exactly one slash } catch (e) { // If decoding fails, remove the potentially malicious header entirely delete req.headers['x-forwarded-prefix']; } } next(); }); ``` ### Configuring Trusted Proxy Headers By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them. You can configure trustProxyHeaders when initializing the application engine: ```ts const appEngine = new AngularAppEngine({ // Trust specific headers trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'], }); const nodeAppEngine = new AngularNodeAppEngine({ // Trust all X-Forwarded-* headers trustProxyHeaders: true, }); ``` ### Patches - 22.0.0-next.7 - 21.2.9 - 20.3.25 - 19.2.25 ### Resources - https://github.com/angular/angular-cli/pull/33031 - https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv4 6.9 https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
generic_textual MODERATE https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-44437
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-44437
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-44437
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-69xr-m8h6-h664
cvssv4 6.9 https://github.com/angular/angular-cli
generic_textual MODERATE https://github.com/angular/angular-cli
cvssv4 6.9 https://github.com/angular/angular-cli/pull/33031
generic_textual MODERATE https://github.com/angular/angular-cli/pull/33031
ssvc Track https://github.com/angular/angular-cli/pull/33031
cvssv3.1_qr MODERATE https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
cvssv4 6.9 https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
generic_textual MODERATE https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
ssvc Track https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-44437
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-44437
Reference id Reference type URL
https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
https://api.first.org/data/v1/epss?cve=CVE-2026-44437
https://github.com/angular/angular-cli
https://github.com/angular/angular-cli/pull/33031
https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
https://nvd.nist.gov/vuln/detail/CVE-2026-44437
GHSA-69xr-m8h6-h664 https://github.com/advisories/GHSA-69xr-m8h6-h664
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://angular.dev/best-practices/security#configuring-trusted-proxy-headers
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli/pull/33031
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T13:33:05Z/ Found at https://github.com/angular/angular-cli/pull/33031
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T13:33:05Z/ Found at https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-44437
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09265
EPSS Score 0.00031
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:03:14.384450+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-69xr-m8h6-h664/GHSA-69xr-m8h6-h664.json 38.6.0