Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.
When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:
- An attacker provides a value starting with a single backslash (e.g.,
\evil.com). - The internal validation failed to flag the single backslash as invalid.
- The application prepends a leading forward slash, resulting in a
Locationheader containing/\evil.com. - Modern browsers interpret the
/\sequence as//, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.
Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).
Impact
This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:
- Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
- SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
- Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.
Patches
- 22.0.0-next.2
- 21.2.3
- 20.3.21
Workarounds
Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:
app.use((req, res, next) => {
const prefix = req.headers['x-forwarded-prefix'];
if (typeof prefix === 'string') {
// Sanitize by removing all leading forward and backward slashes
req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
}
next();
});References
- Fix: https://github.com/angular/angular-cli/pull/32771
- Original CVE: CVE-2026-27738
AnalysisAI
Open Redirect in Angular SSR allows remote attackers to bypass redirect validation through a single backslash character in the X-Forwarded-Prefix header, causing browsers to interpret the malformed URL as a protocol-relative redirect to attacker-controlled domains. This vulnerability affects Angular SSR applications deployed behind proxies and represents an incomplete fix for a prior open redirect issue. An attacker can craft requests to redirect authenticated users away from the legitimate application without user interaction.
Technical ContextAI
An open redirect vulnerability allows attackers to redirect users from a trusted domain to an arbitrary external URL through manipulation of redirect parameters. This vulnerability is classified as URL Redirection to Untrusted Site (Open Redirect) (CWE-601).
RemediationAI
A vendor patch is available — apply it immediately. Validate redirect URLs against a whitelist of allowed destinations. Use relative URLs for redirects. Warn users before redirecting to external sites.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13897
GHSA-fxxv-5hv8-hp3c