Angular SSR X-Forwarded-Prefix Header Processing Vulnerability Allowing Path Traversal

A vulnerability exists in the Angular Server-Side Rendering (SSR) tool, specifically in versions 19.0.0-next.0 prior to 19.2.25, 20.0.0-next.0 prior to 20.3.25, 21.0.0-next.0 prior to 21.2.9, and 22.0.0-next.0 prior to 22.0.0-next.7. The issue arises from the application's handling of the X-Forwarded-Prefix header, where the validation process fails to properly manage URL-encoded characters, particularly dots. This flaw enables attackers to bypass security measures by injecting encoded path traversal sequences that are subsequently decoded and exploited within the application. The vulnerability is triggered when an Angular SSR application, configured to trust proxy headers, is deployed behind a proxy that forwards the X-Forwarded-Prefix header without proper sanitization. In such cases, an attacker can inject a payload that manipulates the application's routing or server-side requests.

Impact

Exploitation of this vulnerability leads to open redirect and server-side request steering. The open redirect occurs when the application processes a redirect and the decoded traversal payload manipulates the Location header, causing the browser to navigate to an unintended path or external domain. Server-side request steering happens when the manipulated prefix is used as the base path for server-side HttpClient requests, causing the server to make requests to unintended internal paths or external endpoints.

Remediation

To address this vulnerability, users should update to Angular SSR versions 19.2.25, 20.3.25, 21.2.9, or 22.0.0-next.7. Additionally, developers can manually sanitize the X-Forwarded-Prefix header in their server.ts file before the patch is applied. Instructions for configuring trusted proxy headers in Angular applications are also available.