安全情报

CVE-2026-44437 - Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefi

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-06

CVE-2026-44437 - Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefi

CVE-2026-44437

GHSA-69xr-m8h6-h664 MEDIUM npm/@angular/ssr

CVE: CVE-2026-44437

Description

A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.

When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil.

The vulnerability manifests in two ways:

Open Redirect: The application processes a redirect (e.g., router redirectTo). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain.
Server-Side Request Steering: The manipulated prefix is used as the base path for server-side HttpClient requests. This causes the server to make requests to unintended internal paths or external endpoints.

Attack Preconditions

The application must use Angular SSR.
The application must perform internal redirects or use relative URLs in server-side HttpClient requests.
The upstream infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without stripping or sanitizing it.

Workarounds

Until the patch is applied, developers should manually sanitize the X-Forwarded-Prefix header in their server.ts. The workaround involves decoding the component to catch encoded traversal attempts before normalization:

app.use((req, res, next) => {
  let prefix = req.headers['x-forwarded-prefix'];
  if (Array.isArray(prefix)) prefix = prefix[0];

  if (prefix) {
    try {
      // Decode the prefix to catch encoded characters like %2e (dots)
      const decodedPrefix = decodeURIComponent(prefix);
      
      // Sanitize: remove traversal attempts and ensure a s

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44437 | 📅 2026-05-06