CVE-2026-27738: Angular SSR has an Open Redirect via X-Forwarded-Prefix
An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.
When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).
- The application processes a redirect (e.g., from a router
redirectToor i18n locale switch). - Angular receives
///evil.comas the prefix. - It strips one slash, leaving
//evil.com. - The resulting string is used in the
Locationheader. - Modern browsers interpret
//as a protocol-relative URL, redirecting the user fromhttps://your-app.comtohttps://evil.com.
References
- github.com/advisories/GHSA-xh43-g2fq-wjrj
- github.com/angular/angular-cli
- github.com/angular/angular-cli/commit/f086eccc36d10cf01c426e35864bc32e1e292323
- github.com/angular/angular-cli/issues/32501
- github.com/angular/angular-cli/pull/32521
- github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj
- nvd.nist.gov/vuln/detail/CVE-2026-27738
Code Behaviors & Features
Detect and mitigate CVE-2026-27738 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →