This vulnerability in Angular SSR involves improper limitation of a pathname to a restricted directory (CWE-22) due to inadequate validation of the X-Forwarded-Prefix header. Specifically, the validation logic fails to decode and properly handle URL-encoded path traversal sequences (%2e%2e), enabling attackers to inject malicious path traversal payloads that bypass security filters. The flaw exists in Angular CLI versions prior to 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7. The vulnerability is relevant when Angular SSR trusts proxy headers and the proxy forwards the X-Forwarded-Prefix header without sanitization. The issue has been addressed in the specified fixed versions.

An attacker can bypass security filters by injecting encoded path traversal sequences in the X-Forwarded-Prefix header, potentially causing the application to process unauthorized paths. This could lead to unauthorized access to restricted directories or resources within the Angular SSR application environment. The impact is limited to configurations where proxy headers are trusted and forwarded without sanitization. There are no known exploits in the wild at this time.

This vulnerability is fixed in Angular CLI versions 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7 and later. Users should upgrade to these or newer versions to remediate the issue. If upgrading is not immediately possible, ensure that proxies do not forward unsanitized X-Forwarded-Prefix headers or disable trusting proxy headers in Angular SSR configurations. Patch status is not explicitly confirmed in vendor advisories, so verify the upgrade versions against official Angular release notes for confirmation.