The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in "@angular/ssr" due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., "///"), the internal validation logic fails to account for a single backslash ("\") bypass. When an Angular SSR application is deployed behind a proxy that passes the "X-Forwarded-Prefix" header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a "Location" header containing the URL, and modern browsers interpret the "/\" sequence as "//", treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the "Vary: X-Forwarded-Prefix" header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the "X-Forwarded-Prefix" header in their "server.ts" before the Angular engine processes the request.