CVE-2026-27738 is an Open Redirect vulnerability (CWE-601) found in Angular SSR implementations within angular-cli versions before 19.2.21, 20.3.17, and 21.1.5/21.2.0-rc.1. Angular SSR is a server-side rendering tool that improves performance and SEO for Angular applications. The vulnerability stems from the internal URL processing logic that normalizes URL segments by stripping only a single leading slash. When deployed behind a reverse proxy or CDN that forwards the X-Forwarded-Prefix header, an attacker can supply a value starting with three slashes (e.g., ///evil.com), which bypasses the normalization and causes the SSR application to redirect users to an untrusted external site. This behavior can be abused for large-scale phishing campaigns, where users are redirected to malicious sites appearing as legitimate, and for SEO hijacking, where attackers manipulate search engine rankings by redirecting traffic. To be vulnerable, the application must use Angular SSR, have routes performing internal redirects, rely on infrastructure passing the X-Forwarded-Prefix header without sanitization, and have caching mechanisms that do not vary based on this header. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. Angular has released patches in versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 to fix this issue by properly handling URL normalization and header sanitization. Until these patches are applied, developers are advised to sanitize the X-Forwarded-Prefix header manually in their server.ts files before Angular processes the request to prevent exploitation.

This vulnerability allows attackers to redirect users of vulnerable Angular SSR applications to malicious external websites without their consent or knowledge. The primary risks include large-scale phishing attacks, where users may be tricked into divulging sensitive information such as credentials or financial data, and SEO hijacking, which can damage the reputation and search engine rankings of legitimate sites. Organizations running Angular SSR behind proxies or CDNs that forward the X-Forwarded-Prefix header without proper sanitization are at risk. The impact extends to confidentiality (through phishing), integrity (by misleading users and search engines), and availability (potentially through user trust erosion). Because exploitation requires no authentication or user interaction and can be performed remotely, the threat can be widespread and automated. However, the scope is limited to Angular SSR applications with specific infrastructure configurations, reducing the overall attack surface. Nevertheless, organizations relying on Angular SSR for critical web applications, especially those with high user traffic or sensitive data, face significant reputational and operational risks if unpatched.

1. Upgrade angular-cli to the patched versions: 19.2.21 or later, 20.3.17 or later, and 21.1.5 or later (including 21.2.0-rc.1). 2. Until patches are applied, implement manual sanitization of the X-Forwarded-Prefix header in the server.ts file to strip or validate multiple leading slashes and reject suspicious header values before Angular SSR processes the request. 3. Configure reverse proxies and CDNs to either not forward the X-Forwarded-Prefix header or sanitize it to prevent multiple leading slashes. 4. Adjust caching policies to vary cache entries based on the X-Forwarded-Prefix header to avoid serving cached malicious redirects. 5. Audit application routes that perform internal redirects to ensure they validate and constrain redirect targets strictly to trusted internal URLs. 6. Monitor web traffic and logs for unusual redirect patterns or requests containing suspicious X-Forwarded-Prefix header values. 7. Educate developers and DevOps teams about this vulnerability and the importance of secure header handling in SSR environments. 8. Employ web application firewalls (WAFs) with rules to detect and block open redirect attempts involving malformed X-Forwarded-Prefix headers.