Vulnerability-Lookup

CVE-2026-44437 (GCVE-0-2026-44437)

Vulnerability from cvelistv5 – Published: 2026-05-13 21:23 – Updated: 2026-05-14 13:35

Title

Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix

Summary

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/angular/angular-cli/security/a…	x_refsource_CONFIRM
https://github.com/angular/angular-cli/pull/33031	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
angular	angular-cli	Affected: >= 22.0.0-next.0, < 22.0.0-next.7 Affected: >= 21.0.0-next.0, < 21.2.9 Affected: >= 20.0.0-next.0, < 20.3.25 Affected: >= 19.0.0-next.0, < 19.2.25

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44437",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:33:05.814553Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:35:18.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "angular-cli",
          "vendor": "angular",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0-next.0, \u003c 21.2.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0-next.0, \u003c 20.3.25"
            },
            {
              "status": "affected",
              "version": "\u003e= 19.0.0-next.0, \u003c 19.2.25"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.\nWhen an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T21:23:59.260Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664"
        },
        {
          "name": "https://github.com/angular/angular-cli/pull/33031",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/angular/angular-cli/pull/33031"
        }
      ],
      "source": {
        "advisory": "GHSA-69xr-m8h6-h664",
        "discovery": "UNKNOWN"
      },
      "title": "Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44437",
    "datePublished": "2026-05-13T21:23:59.260Z",
    "dateReserved": "2026-05-06T14:40:00.954Z",
    "dateUpdated": "2026-05-14T13:35:18.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44437",
      "date": "2026-05-27",
      "epss": "0.00064",
      "percentile": "0.1988"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44437\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T22:16:44.710\",\"lastModified\":\"2026-05-14T18:17:11.253\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.\\nWhen an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/angular/angular-cli/pull/33031\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix\", \"source\": {\"advisory\": \"GHSA-69xr-m8h6-h664\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"angular\", \"product\": \"angular-cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 22.0.0-next.0, \u003c 22.0.0-next.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0-next.0, \u003c 21.2.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0-next.0, \u003c 20.3.25\"}, {\"status\": \"affected\", \"version\": \"\u003e= 19.0.0-next.0, \u003c 19.2.25\"}]}], \"references\": [{\"url\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664\", \"name\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/angular/angular-cli/pull/33031\", \"name\": \"https://github.com/angular/angular-cli/pull/33031\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.\\nWhen an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T21:23:59.260Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44437\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T13:33:05.814553Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-14T13:35:12.871Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44437\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T21:23:59.260Z\", \"dateReserved\": \"2026-05-06T14:40:00.954Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-13T21:23:59.260Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44437

Vulnerability from fkie_nvd - Published: 2026-05-13 22:16 - Updated: 2026-05-14 18:17

Severity

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/angular/angular-cli/pull/33031
	security-advisories@github.com	https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.\nWhen an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7."
    }
  ],
  "id": "CVE-2026-44437",
  "lastModified": "2026-05-14T18:17:11.253",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-13T22:16:44.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/pull/33031"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-69XR-M8H6-H664

Vulnerability from github – Published: 2026-05-06 23:42 – Updated: 2026-05-14 20:43

Summary

Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix

Details

Description

A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil.

The vulnerability manifests in two ways: - Open Redirect: The application processes a redirect (e.g., router redirectTo). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain. - Server-Side Request Steering: The manipulated prefix is used as the base path for server-side HttpClient requests. This causes the server to make requests to unintended internal paths or external endpoints.

Attack Preconditions

The application must use Angular SSR.
The application must perform internal redirects or use relative URLs in server-side HttpClient requests.
The upstream infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without stripping or sanitizing it.

Workarounds

Until the patch is applied, developers should manually sanitize the X-Forwarded-Prefix header in their server.ts. The workaround involves decoding the component to catch encoded traversal attempts before normalization:

app.use((req, res, next) => {
  let prefix = req.headers['x-forwarded-prefix'];
  if (Array.isArray(prefix)) prefix = prefix[0];

  if (prefix) {
    try {
      // Decode the prefix to catch encoded characters like %2e (dots)
      const decodedPrefix = decodeURIComponent(prefix);

      // Sanitize: remove traversal attempts and ensure a safe leading slash
      req.headers['x-forwarded-prefix'] = decodedPrefix
        .replace(/\.\./g, '')       // Remove any dot-dot sequences
        .replace(/^[/\\]+/, '/');   // Ensure it starts with exactly one slash
    } catch (e) {
      // If decoding fails, remove the potentially malicious header entirely
      delete req.headers['x-forwarded-prefix'];
    }
  }
  next();
});

Configuring Trusted Proxy Headers

By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them. You can configure trustProxyHeaders when initializing the application engine:

const appEngine = new AngularAppEngine({
  // Trust specific headers
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'], 
});

const nodeAppEngine = new AngularNodeAppEngine({
  // Trust all X-Forwarded-* headers
  trustProxyHeaders: true, 
});

Patches

22.0.0-next.7
21.2.9
20.3.25
19.2.25

Resources

https://github.com/angular/angular-cli/pull/33031
https://angular.dev/best-practices/security#configuring-trusted-proxy-headers

Severity

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:42:10Z",
    "nvd_published_at": "2026-05-13T22:16:44Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nA vulnerability exists in the `X-Forwarded-Prefix` header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (`%2e%2e`). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.\nWhen an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the `X-Forwarded-Prefix` header without prior sanitization, an attacker can provide a payload such as `/%2e%2e/evil`.\n\nThe vulnerability manifests in two ways:\n- Open Redirect: The application processes a redirect (e.g., router `redirectTo`). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain.\n- Server-Side Request Steering: The manipulated prefix is used as the base path for server-side `HttpClient` requests. This causes the server to make requests to unintended internal paths or external endpoints.\n\n### Attack Preconditions\n- The application must use Angular SSR.\n- The application must perform internal redirects or use relative URLs in server-side `HttpClient` requests.\n- The upstream infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without stripping or sanitizing it.\n\n### Workarounds\nUntil the patch is applied, developers should manually sanitize the `X-Forwarded-Prefix` header in their `server.ts`. The workaround involves decoding the component to catch encoded traversal attempts before normalization:\n\n\n```ts\napp.use((req, res, next) =\u003e {\n  let prefix = req.headers[\u0027x-forwarded-prefix\u0027];\n  if (Array.isArray(prefix)) prefix = prefix[0];\n\n  if (prefix) {\n    try {\n      // Decode the prefix to catch encoded characters like %2e (dots)\n      const decodedPrefix = decodeURIComponent(prefix);\n      \n      // Sanitize: remove traversal attempts and ensure a safe leading slash\n      req.headers[\u0027x-forwarded-prefix\u0027] = decodedPrefix\n        .replace(/\\.\\./g, \u0027\u0027)       // Remove any dot-dot sequences\n        .replace(/^[/\\\\]+/, \u0027/\u0027);   // Ensure it starts with exactly one slash\n    } catch (e) {\n      // If decoding fails, remove the potentially malicious header entirely\n      delete req.headers[\u0027x-forwarded-prefix\u0027];\n    }\n  }\n  next();\n});\n```\n### Configuring Trusted Proxy Headers\nBy default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them.\nYou can configure trustProxyHeaders when initializing the application engine:\n\n```ts\nconst appEngine = new AngularAppEngine({\n  // Trust specific headers\n  trustProxyHeaders: [\u0027x-forwarded-host\u0027, \u0027x-forwarded-proto\u0027, \u0027x-forwarded-prefix\u0027], \n});\n\nconst nodeAppEngine = new AngularNodeAppEngine({\n  // Trust all X-Forwarded-* headers\n  trustProxyHeaders: true, \n});\n```\n\n### Patches\n- 22.0.0-next.7\n- 21.2.9\n- 20.3.25\n- 19.2.25\n\n### Resources\n\n- https://github.com/angular/angular-cli/pull/33031\n- https://angular.dev/best-practices/security#configuring-trusted-proxy-headers",
  "id": "GHSA-69xr-m8h6-h664",
  "modified": "2026-05-14T20:43:37Z",
  "published": "2026-05-06T23:42:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular-cli/pull/33031"
    },
    {
      "type": "WEB",
      "url": "https://angular.dev/best-practices/security#configuring-trusted-proxy-headers"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44437 (GCVE-0-2026-44437)

FKIE_CVE-2026-44437

GHSA-69XR-M8H6-H664

Description

Attack Preconditions

Workarounds

Configuring Trusted Proxy Headers

Patches

Resources

Tags

Sightings

Nomenclature