Skip to main content

Angular SSR CVE-2026-44437

MEDIUM
Path Traversal (CWE-22)
2026-05-06 https://github.com/angular/angular-cli GHSA-69xr-m8h6-h664
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 13, 2026 - 22:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 07, 2026 - 00:00 vuln.today
Analysis Generated
May 07, 2026 - 00:00 vuln.today
CVE Published
May 06, 2026 - 23:42 nvd
MEDIUM

DescriptionGitHub Advisory

Description

A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil.

The vulnerability manifests in two ways:

  • Open Redirect: The application processes a redirect (e.g., router redirectTo). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain.
  • Server-Side Request Steering: The manipulated prefix is used as the base path for server-side HttpClient requests. This causes the server to make requests to unintended internal paths or external endpoints.

Attack Preconditions

  • The application must use Angular SSR.
  • The application must perform internal redirects or use relative URLs in server-side HttpClient requests.
  • The upstream infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without stripping or sanitizing it.

Workarounds

Until the patch is applied, developers should manually sanitize the X-Forwarded-Prefix header in their server.ts. The workaround involves decoding the component to catch encoded traversal attempts before normalization:

ts
app.use((req, res, next) => {
  let prefix = req.headers['x-forwarded-prefix'];
  if (Array.isArray(prefix)) prefix = prefix[0];

  if (prefix) {
    try {
      // Decode the prefix to catch encoded characters like %2e (dots)
      const decodedPrefix = decodeURIComponent(prefix);

      // Sanitize: remove traversal attempts and ensure a safe leading slash
      req.headers['x-forwarded-prefix'] = decodedPrefix
        .replace(/\.\./g, '')       // Remove any dot-dot sequences
        .replace(/^[/\\]+/, '/');   // Ensure it starts with exactly one slash
    } catch (e) {
      // If decoding fails, remove the potentially malicious header entirely
      delete req.headers['x-forwarded-prefix'];
    }
  }
  next();
});

Configuring Trusted Proxy Headers

By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them. You can configure trustProxyHeaders when initializing the application engine:

ts
const appEngine = new AngularAppEngine({
  // Trust specific headers
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'],
});

const nodeAppEngine = new AngularNodeAppEngine({
  // Trust all X-Forwarded-* headers
  trustProxyHeaders: true,
});

Patches

  • 22.0.0-next.7
  • 21.2.9
  • 20.3.25
  • 19.2.25

Resources

  • https://github.com/angular/angular-cli/pull/33031
  • https://angular.dev/best-practices/security#configuring-trusted-proxy-headers

AnalysisAI

Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.

Technical ContextAI

Angular SSR applications use the X-Forwarded-Prefix header (when trustProxyHeaders is enabled) to construct the base path for server-side request routing and URL generation. The vulnerability exists in the request URL construction logic within the npm/@angular/ssr package, specifically in how the createRequestUrl and createWebRequestFromNodeRequest functions process this header. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where URL-encoded traversal sequences (%2e%2e representing encoded dots) bypass validation checks that operate on the decoded form. When the X-Forwarded-Prefix header contains a payload like /%2e%2e/evil, the internal validation mechanism fails to detect the traversal attempt because it checks for literal .. sequences before decoding occurs. Subsequent application logic decodes the header value for use in URL construction or server-side request steering, resulting in path manipulation. This affects versions before 22.0.0-next.7, 21.2.9, 20.3.25, and 19.2.25 of @angular/ssr.

RemediationAI

Upgrade @angular/ssr immediately to version 22.0.0-next.7 (or later 22.x), 21.2.9 (or later 21.x), 20.3.25 (or later 20.x), or 19.2.25 (or later 19.x), depending on your currently deployed version line. Until patching is feasible, implement immediate server-side sanitization of the X-Forwarded-Prefix header in your server.ts Express middleware by decoding the header value and removing .. sequences and normalizing the leading slash, as provided in the CVE description's workaround code (which removes %2e%2e-encoded traversal attempts before the application processes the header). Alternatively, disable trustProxyHeaders entirely if your infrastructure does not strictly require proxy header support, or configure trustProxyHeaders as a whitelist of specific allowed headers (e.g., trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto']) and omit x-forwarded-prefix if not needed. Additionally, ensure your upstream reverse proxy (load balancer, CDN, API gateway) validates and sanitizes the X-Forwarded-Prefix header before forwarding to the Angular SSR application - this is the recommended defense-in-depth approach per Angular documentation. Side effect of disabling trustProxyHeaders: applications behind a reverse proxy will not correctly construct absolute URLs for redirects or server-side requests, potentially breaking functionality in such deployments; whitelist approach preserves this functionality while reducing surface area.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-44437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy