DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27738: Angular SSR: The One-Slash Wonder (CVE-2026-27738)

#security #cve #cybersecurity

Angular SSR: The One-Slash Wonder (CVE-2026-27738)

Vulnerability ID: CVE-2026-27738
CVSS Score: 6.1
Published: 2026-02-25

A deceptively simple logic error in Angular's Server-Side Rendering (SSR) engine allows attackers to turn internal redirects into open redirects. By exploiting how the framework normalizes URLs from the X-Forwarded-Prefix header, a malicious actor can bypass validation with extra slashes, leading to protocol-relative URL redirection. This flaw affects major versions 19, 20, and 21, turning trusted applications into phishing launchpads.

TL;DR

Angular SSR's URL normalization logic only stripped a single leading slash from path segments. Attackers sending a X-Forwarded-Prefix: ///evil.com header can trick the server into generating a Location: //evil.com redirect. This protocol-relative URL forces the browser to navigate to the attacker's domain, enabling high-credibility phishing attacks.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-601 (Open Redirect)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (Header Manipulation)
  • Exploit Maturity: Proof of Concept
  • Privileges: None
  • User Interaction: Required (Victim must click link)

Affected Systems

  • Angular SSR 19.x < 19.2.21
  • Angular SSR 20.x < 20.3.17
  • Angular SSR 21.x < 21.1.5
  • @angular/ssr: >= 19.0.0-next.0, < 19.2.21 (Fixed in: 19.2.21)
  • @angular/ssr: >= 20.0.0-next.0, < 20.3.17 (Fixed in: 20.3.17)
  • @angular/ssr: >= 21.0.0-next.0, < 21.1.5 (Fixed in: 21.1.5)

Code Analysis

Commit: 877f017

fix(ssr): harden URL normalization and validate X-Forwarded-Prefix

while (start < end && part[start] === '/') { start++; }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Original issue report containing PoC steps

Mitigation Strategies

  • Upgrade to patched Angular SSR versions.
  • Sanitize X-Forwarded-Prefix headers at the reverse proxy (Nginx/AWS ALB) level.
  • Implement middleware to strip multiple leading slashes from header values.

Remediation Steps:

  1. Identify if your application uses @angular/ssr and is deployed behind a proxy passing X-Forwarded-Prefix.
  2. Update package.json to use @angular/ssr version 19.2.21, 20.3.17, or 21.1.5.
  3. Run npm update or yarn upgrade.
  4. Verify the fix by sending a request with X-Forwarded-Prefix: ///test and ensuring the response location is /test (relative) or https://host/test (absolute), not //test.

References

Read the full report for CVE-2026-27738 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)