Update dependency @angular/ssr to v21.2.3 [SECURITY]

[SuperSandroBot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/ssr	21.2.2 -> 21.2.3

GitHub Vulnerability Alerts

CVE-2026-33397

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

• An attacker provides a value starting with a single backslash (e.g., \evil.com).
• The internal validation failed to flag the single backslash as invalid.
• The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
• Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

• Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
• SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
• Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

• 22.0.0-next.2
• 21.2.3
• 20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

• Fix: https://github.com/angular/angular-cli/pull/32771
• Original CVE: CVE-2026-27738

---

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

CVE-2026-33397 / GHSA-vfx2-hv2g-xj5f

More information

Details

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

• An attacker provides a value starting with a single backslash (e.g., \evil.com).
• The internal validation failed to flag the single backslash as invalid.
• The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
• Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

• Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
• SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
• Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

• 22.0.0-next.2
• 21.2.3
• 20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

• Fix: https://github.com/angular/angular-cli/pull/32771
• Original CVE: CVE-2026-27738

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
• https://github.com/angular/angular-cli/pull/32771
• https://github.com/advisories/GHSA-xh43-g2fq-wjrj
• https://github.com/angular/angular-cli

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular-cli (@​angular/ssr)

v21.2.3

Compare Source

@​angular/cli

Commit	Type	Description
1505164bb	fix	use parsed package name for migrate-only updates

@​angular/build

Commit	Type	Description
75fa94cad	fix	alias createRequire banner import to avoid duplicate binding
d009aa1ec	fix	only use external packages for polyfills when no local files are present

@​angular/ssr

Commit	Type	Description
f3e0e82c2	fix	disallow x-forwarded-prefix starting with a backslash
b8bcd59b4	fix	ensure unique values in redirect response Vary header
84385411d	fix	support custom headers in redirect responses

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.