CVE-2026-27738
Received Received - Intake
Open Redirect in Angular SSR Enables Phishing and SEO Hijacking

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27738
EUVD
EUVD-2026-8687
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
angular angular_ssr to 19.2.21|end_excluding=20.3.17|end_excluding=21.1.5|end_excluding=21.2.0-rc.1 (exc)
angular angular_ssr to 21.2.0-rc.1 (exc)
angular angular_ssr to 21.1.5 (exc)
angular angular_ssr to 20.3.17 (exc)
angular angular_ssr to 19.2.21 (exc)
angular angular_cli 21.1.4
angular angular_cli From 21.2.0-next.0 (inc) to 21.2.0-rc.1 (exc)
angular angular_cli From 21.0.0-next.0 (inc) to 21.1.5 (exc)
angular angular_cli From 20.0.0-next.0 (inc) to 20.3.17 (exc)
angular angular_cli From 19.0.0-next.0 (inc) to 19.2.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27738 is an Open Redirect vulnerability in Angular Server-Side Rendering (SSR) applications caused by improper sanitization of the `X-Forwarded-Prefix` HTTP header.

The vulnerability arises because the internal URL processing function `joinUrlParts()` only removes a single leading slash from URL segments. If an attacker supplies a value with multiple leading slashes (e.g., `///evil.com`) in the `X-Forwarded-Prefix` header, the function strips only one slash, resulting in a URL starting with `//evil.com`.

Browsers interpret URLs starting with `//` as protocol-relative URLs, causing the application to redirect users from the trusted domain to an attacker-controlled domain. This happens when the Angular SSR app issues redirects using the manipulated URL, for example, in routes that perform internal redirects.

The root cause is the insufficient removal of leading slashes in the URL normalization logic and lack of strict validation of the `X-Forwarded-Prefix` header. The vulnerability can be exploited when the SSR app is behind a proxy that forwards the `X-Forwarded-Prefix` header without sanitization.

The vulnerability enables attackers to redirect users to malicious sites, facilitating phishing attacks and SEO hijacking.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several impacts on affected Angular SSR applications:'}, {'type': 'list_item', 'content': 'Enables large-scale phishing attacks by redirecting users from a trusted domain to attacker-controlled malicious sites.'}, {'type': 'list_item', 'content': "Allows SEO hijacking where search engine crawlers index malicious redirects, damaging the site's reputation and search rankings."}, {'type': 'list_item', 'content': 'Because the redirect originates from a trusted domain, users and security tools are less likely to detect the malicious redirect.'}, {'type': 'list_item', 'content': 'The lack of `Cache-Control` headers on redirect responses allows intermediate caches and CDNs to store and serve poisoned redirects to other users, amplifying the attack via web cache poisoning.'}, {'type': 'list_item', 'content': "Overall, the vulnerability can lead to compromised user trust, potential credential theft, and damage to the application's reputation."}] [1, 2, 3, 4]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if your Angular SSR application improperly handles the X-Forwarded-Prefix header with multiple leading slashes. A minimal reproduction involves sending an HTTP request to your Angular SSR app with a crafted header such as `X-Forwarded-Prefix: ///evil.com` and observing if the server responds with a 302 redirect whose Location header starts with `//evil.com`.'}, {'type': 'paragraph', 'content': 'You can use curl commands to test this behavior by sending a request with the malicious header and inspecting the Location header in the response. For example:'}, {'type': 'list_item', 'content': 'curl -v -H "X-Forwarded-Prefix: ///evil.com" https://your-angular-ssr-app.com/redirect'}, {'type': 'paragraph', 'content': 'If the response includes a 302 redirect with a Location header like `//evil.com/home`, your application is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring your reverse proxy or CDN logs for requests containing suspicious `X-Forwarded-Prefix` headers with multiple leading slashes can help detect exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps before applying the official patch include sanitizing the `X-Forwarded-Prefix` header in your Angular SSR application's server code to remove all but one leading slash."}, {'type': 'paragraph', 'content': 'For example, in your `server.ts` file, add middleware to normalize the header as follows:'}, {'type': 'list_item', 'content': 'app.use((req, res, next) => {'}, {'type': 'list_item', 'content': " const prefix = req.headers['x-forwarded-prefix']?.trim();"}, {'type': 'list_item', 'content': ' if (prefix) {'}, {'type': 'list_item', 'content': " req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\\\]+/, '/');"}, {'type': 'list_item', 'content': ' }'}, {'type': 'list_item', 'content': ' next();'}, {'type': 'list_item', 'content': '});'}, {'type': 'paragraph', 'content': 'This sanitization removes multiple leading slashes, preventing the creation of protocol-relative URLs that cause open redirects.'}, {'type': 'paragraph', 'content': 'Additionally, update your Angular SSR package to one of the patched versions: 21.2.0-rc.1, 21.1.5, 20.3.17, or 19.2.21, which include fixes that strip all leading slashes and validate the `X-Forwarded-Prefix` header strictly.'}, {'type': 'paragraph', 'content': 'Also, ensure that your reverse proxy or CDN sanitizes or does not forward unsanitized `X-Forwarded-Prefix` headers, and configure caching to vary on this header or disable caching of redirect responses to prevent cache poisoning.'}] [2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart