Angular SSR Open Redirect Vulnerability via X-Forwarded-Prefix Header

A vulnerability allowing open redirects has been identified in Angular's server-side rendering (SSR) tool, specifically in versions 19.x prior to 19.2.21, 20.x prior to 20.3.17, and 21.x prior to 21.1.5 and 21.2.0-rc.1. The issue arises from the URL normalization process, which improperly handles leading slashes in the X-Forwarded-Prefix header. When an application is deployed behind a proxy that passes this header without proper sanitization, an attacker can craft a value that creates a protocol-relative URL, leading to phishing and SEO hijacking attacks.

Impact

Exploitation of this vulnerability allows for open redirects, where users are sent to an external site without their consent, potentially leading to phishing attacks. Additionally, the lack of proper cache control on the redirect response can cause web cache poisoning, serving the malicious redirect to other users.

Reproduction

To reproduce this vulnerability, create an Angular SSR application and add a redirect route. Then, send a request with an X-Forwarded-Prefix header that includes multiple leading slashes. The response will include a protocol-relative URL in the Location header, which browsers will interpret as an external redirect.

Remediation

Users can update to Angular SSR versions 21.2.0-rc.1, 21.1.5, 20.3.17, or 19.2.21, all of which include the necessary patch. Alternatively, developers can sanitize the X-Forwarded-Prefix header in their server.ts file before the Angular engine processes the request.