Angular SSR Open Redirect Vulnerability via X-Forwarded-Prefix Header

A vulnerability allowing open redirects has been identified in Angular Server-Side Rendering (SSR) applications. This issue affects versions 22.x prior to 22.0.0-next.2, 21.x prior to 21.2.3, and 20.x prior to 20.3.21. The vulnerability arises from an incomplete fix for a previous open redirect issue, allowing attackers to manipulate the X-Forwarded-Prefix header to inject malicious URLs. When the application normalizes the URL, it inadvertently creates a protocol-relative URL that redirects users to an attacker-controlled domain. Additionally, the lack of a Vary: X-Forwarded-Prefix header in the response enables web cache poisoning, storing the malicious redirect in intermediate caches.

Impact

Exploitation of this vulnerability allows for open redirects, with the added risk of web cache poisoning, where the malicious redirect is stored in caches and can affect multiple users.

Reproduction

To reproduce this vulnerability, deploy an Angular SSR application behind a proxy that passes the X-Forwarded-Prefix header without sanitization. Then, provide a value for the X-Forwarded-Prefix header that starts with a single backslash, followed by a domain name. The application will prepend a forward slash, creating a protocol-relative URL in the Location header that redirects to the specified domain.

Remediation

Update to Angular SSR versions 22.0.0-next.2, 21.2.3, or 20.3.21. If an immediate update is not possible, sanitize the X-Forwarded-Prefix header in the server.ts file before the Angular engine processes the request.