GHSA-xh43-g2fq-wjrj

Описание

An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).

1. The application processes a redirect (e.g., from a router redirectTo or i18n locale switch).
2. Angular receives ///evil.com as the prefix.
3. It strips one slash, leaving //evil.com.
4. The resulting string is used in the Location header.
5. Modern browsers interpret // as a protocol-relative URL, redirecting the user from https://your-app.com to https://evil.com.

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

• Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
• SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
• Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Attack Preconditions

• The application must use Angular SSR.
• The application must have routes that perform internal redirects.
• The infrastructure (Reverse Proxy/CDN) must pass the X-Forwarded-Prefix header to the SSR process without sanitization.
• The cache must not vary on the X-Forwarded-Prefix header.

Patches

• 21.2.0-rc.1
• 21.1.5
• 20.3.17
• 19.2.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in theirserver.ts before the Angular engine processes the request:

Resources

• Report
• Fix