CVE-2026-27738 is an Open Redirect vulnerability (CWE-601) affecting Angular SSR (Server-Side Rendering) implementations in angular-cli versions prior to 19.2.21, 20.3.17, and 21.1.5/21.2.0-rc.1. The root cause lies in the internal URL processing logic that normalizes URL segments by stripping only a single leading slash. When Angular SSR applications are deployed behind reverse proxies or CDNs that forward the X-Forwarded-Prefix HTTP header without proper sanitization, an attacker can supply a value starting with three slashes (e.g., ///malicious.com). Due to insufficient normalization, this crafted header can cause the SSR engine to redirect users to untrusted external sites. Exploiting this vulnerability enables large-scale phishing campaigns and SEO hijacking by manipulating URLs to redirect users to attacker-controlled domains. For exploitation, the application must use Angular SSR, have routes performing internal redirects, the infrastructure must forward the X-Forwarded-Prefix header unsanitized, and caching mechanisms must not vary based on this header. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. Angular has released patches in versions 19.2.21, 20.3.17, 21.1.5, and 21.2.0-rc.1 to address this issue by improving URL normalization and header handling. Until patches are applied, developers are advised to manually sanitize the X-Forwarded-Prefix header in their server.ts files before Angular processes requests to prevent malicious redirects.

The vulnerability allows attackers to redirect users of Angular SSR applications to arbitrary external URLs without their consent, facilitating phishing attacks that can steal credentials or deliver malware. SEO hijacking can also damage the reputation and search rankings of affected websites by injecting malicious redirects. Because the exploit requires no authentication or user interaction and can be triggered remotely, it poses a significant risk to any organization deploying vulnerable Angular SSR apps behind proxies forwarding the X-Forwarded-Prefix header. The impact extends to user trust, brand reputation, and potential regulatory consequences if user data is compromised via phishing. Additionally, compromised SEO rankings can lead to long-term business losses. Organizations with high-traffic Angular SSR applications, especially those relying on reverse proxies or CDNs that forward headers without sanitization, are at elevated risk. The vulnerability’s medium severity reflects a moderate but tangible risk that can be mitigated with proper patching and header validation.

1. Upgrade Angular CLI to patched versions: 19.2.21 or later, 20.3.17 or later, and 21.1.5 or later (including 21.2.0-rc.1). 2. Until patches are applied, implement manual sanitization of the X-Forwarded-Prefix header in the server.ts file or equivalent server-side entry point to strip or validate multiple leading slashes and reject suspicious values. 3. Configure reverse proxies and CDNs to avoid forwarding the X-Forwarded-Prefix header to the SSR process unless absolutely necessary, or sanitize it at the proxy level. 4. Ensure caching mechanisms vary on the X-Forwarded-Prefix header to prevent cache poisoning or unintended reuse of malicious redirects. 5. Audit application routes that perform internal redirects to confirm they do not blindly trust header values for URL construction. 6. Implement monitoring and alerting for unusual redirect patterns or spikes in redirect-related errors. 7. Educate developers and DevOps teams about this vulnerability and secure header handling best practices. 8. Conduct penetration testing or code reviews focusing on SSR URL handling and header processing to identify residual risks.