Skip to content

Update dependency @angular/ssr to v21.2.9 [SECURITY]#308

Open
SuperSandroBot wants to merge 1 commit into
mainfrom
renovate/npm-angular-ssr-vulnerability
Open

Update dependency @angular/ssr to v21.2.9 [SECURITY]#308
SuperSandroBot wants to merge 1 commit into
mainfrom
renovate/npm-angular-ssr-vulnerability

Conversation

@SuperSandroBot
Copy link
Copy Markdown
Contributor

@SuperSandroBot SuperSandroBot commented May 7, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@angular/ssr 21.2.7 -> 21.2.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2026-44437

Description

A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.
When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil.

The vulnerability manifests in two ways:

  • Open Redirect: The application processes a redirect (e.g., router redirectTo). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain.
  • Server-Side Request Steering: The manipulated prefix is used as the base path for server-side HttpClient requests. This causes the server to make requests to unintended internal paths or external endpoints.

Attack Preconditions

  • The application must use Angular SSR.
  • The application must perform internal redirects or use relative URLs in server-side HttpClient requests.
  • The upstream infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without stripping or sanitizing it.

Workarounds

Until the patch is applied, developers should manually sanitize the X-Forwarded-Prefix header in their server.ts. The workaround involves decoding the component to catch encoded traversal attempts before normalization:

app.use((req, res, next) => {
  let prefix = req.headers['x-forwarded-prefix'];
  if (Array.isArray(prefix)) prefix = prefix[0];

  if (prefix) {
    try {
      // Decode the prefix to catch encoded characters like %2e (dots)
      const decodedPrefix = decodeURIComponent(prefix);
      
      // Sanitize: remove traversal attempts and ensure a safe leading slash
      req.headers['x-forwarded-prefix'] = decodedPrefix
        .replace(/\.\./g, '')       // Remove any dot-dot sequences
        .replace(/^[/\\]+/, '/');   // Ensure it starts with exactly one slash
    } catch (e) {
      // If decoding fails, remove the potentially malicious header entirely
      delete req.headers['x-forwarded-prefix'];
    }
  }
  next();
});

Configuring Trusted Proxy Headers

By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them.
You can configure trustProxyHeaders when initializing the application engine:

const appEngine = new AngularAppEngine({
  // Trust specific headers
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'], 
});

const nodeAppEngine = new AngularNodeAppEngine({
  // Trust all X-Forwarded-* headers
  trustProxyHeaders: true, 
});

Patches

  • 22.0.0-next.7
  • 21.2.9
  • 20.3.25
  • 19.2.25

Resources

Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix

CVE-2026-44437 / GHSA-69xr-m8h6-h664

More information

Details

Description

A vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.
When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil.

The vulnerability manifests in two ways:

  • Open Redirect: The application processes a redirect (e.g., router redirectTo). The decoded traversal payload manipulates the Location header, forcing the browser to an unintended path or external domain.
  • Server-Side Request Steering: The manipulated prefix is used as the base path for server-side HttpClient requests. This causes the server to make requests to unintended internal paths or external endpoints.
Attack Preconditions
  • The application must use Angular SSR.
  • The application must perform internal redirects or use relative URLs in server-side HttpClient requests.
  • The upstream infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without stripping or sanitizing it.
Workarounds

Until the patch is applied, developers should manually sanitize the X-Forwarded-Prefix header in their server.ts. The workaround involves decoding the component to catch encoded traversal attempts before normalization:

app.use((req, res, next) => {
  let prefix = req.headers['x-forwarded-prefix'];
  if (Array.isArray(prefix)) prefix = prefix[0];

  if (prefix) {
    try {
      // Decode the prefix to catch encoded characters like %2e (dots)
      const decodedPrefix = decodeURIComponent(prefix);
      
      // Sanitize: remove traversal attempts and ensure a safe leading slash
      req.headers['x-forwarded-prefix'] = decodedPrefix
        .replace(/\.\./g, '')       // Remove any dot-dot sequences
        .replace(/^[/\\]+/, '/');   // Ensure it starts with exactly one slash
    } catch (e) {
      // If decoding fails, remove the potentially malicious header entirely
      delete req.headers['x-forwarded-prefix'];
    }
  }
  next();
});
Configuring Trusted Proxy Headers

By default, Angular ignores all X-Forwarded-* headers. If your application is behind a trusted reverse proxy (like a load balancer) that sets these headers, you can configure Angular to trust them.
You can configure trustProxyHeaders when initializing the application engine:

const appEngine = new AngularAppEngine({
  // Trust specific headers
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-prefix'], 
});

const nodeAppEngine = new AngularNodeAppEngine({
  // Trust all X-Forwarded-* headers
  trustProxyHeaders: true, 
});
Patches
  • 22.0.0-next.7
  • 21.2.9
  • 20.3.25
  • 19.2.25
Resources

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular-cli (@​angular/ssr)

v21.2.9

Compare Source

@​angular/cli
Commit Type Description
233deef01 fix fix broken img ref in ai-tutor
7cea9885c fix introduce initial package manager workspace awareness
5b1a5b743 fix remove standalone true ref in ai tutor
@​schematics/angular
Commit Type Description
e7abeb5c7 fix add missing imports for focus and skip APIs in refactor-jasmine-vitest
@​angular/ssr
Commit Type Description
94023f62c fix introduce trustProxyHeaders option to safely validate and sanitize proxy headers
5ffe5c309 fix add support for configuring trusted proxy headers via environment variable
930ada9b7 fix decode route segments when building and matching route tree
0dc8a440c fix use router to normalize URLs for comparison

v21.2.8: 21.2.8

Compare Source

@​angular/cli
Commit Description
fix - e91280c05 dynamically resolve project Angular CLI executable inside MCP tools
fix - 01af6741b ignore EBADF file system errors during MCP project scan
fix - f7a3e6ed8 use headless option in MCP test tool
@​angular-devkit/build-angular
Commit Description
fix - 00336c037 ensure route has leading slash in prerender builder
fix - e87d302d6 fix app-shell route format and
@​angular/build
Commit Description
fix - c93140a54 use rootDir for HMR component updates path resolution
fix - 6df2b1488 validate V8 coverage support for browsers in Vitest

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000 SuperSandro2000 is a code owner

@MarcelCoding MarcelCoding Awaiting requested review from MarcelCoding MarcelCoding is a code owner

Assignees

@SuperSandro2000 SuperSandro2000

@MarcelCoding MarcelCoding

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SuperSandroBot @SuperSandro2000 @MarcelCoding