CVE-2026-44437

Severity CVSS v4.0:
MEDIUM
Type:
CWE-22 Path Traversal
Publication date:
13/05/2026
Last modified:
28/05/2026

Description

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.<br /> When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 19.0.0 (including) 19.2.25 (excluding)
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 20.0.0 (including) 20.3.25 (excluding)
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 21.0.0 (including) 21.2.9 (excluding)
cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next6:*:*:*:node.js:*:*