CVE-2026-33397

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.

CVSS

No CVSS.

References

Link	Resource
https://github.com/advisories/GHSA-xh43-g2fq-wjrj
https://github.com/angular/angular-cli/pull/32771
https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 15:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33397

Mitre link : CVE-2026-33397

CVE.ORG link : CVE-2026-33397

JSON object : View

Products Affected

No product.

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2026-33397", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T15:16:38.533", "references": [{"url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj", "source": "security-advisories@github.com"}, {"url": "https://github.com/angular/angular-cli/pull/32771", "source": "security-advisories@github.com"}, {"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."}, {"lang": "es", "value": "El Angular SSR es una herramienta de renderizado de ascenso del servidor para aplicaciones Angular. Las versiones de la rama 22.x anteriores a la 22.0.0-next.2, la rama 21.x anteriores a la 21.2.3 y la rama 20.x anteriores a la 20.3.21 tienen una vulnerabilidad de redirecci\u00f3n abierta en '@angular/ssr' debido a una correcci\u00f3n incompleta para CVE-2026-27738. Aunque la correcci\u00f3n original bloque\u00f3 con \u00e9xito m\u00faltiples barras diagonales iniciales (p. ej., '///'), la l\u00f3gica de validaci\u00f3n interna no tiene en cuenta un bypass de una sola barra invertida ('\\'). Cuando una aplicaci\u00f3n Angular SSR se despliega detr\u00e1s de un proxy que pasa el encabezado 'X-Forwarded-Prefix', un atacante proporciona un valor que comienza con una sola barra invertida, la validaci\u00f3n interna no marc\u00f3 la \u00fanica barra invertida como inv\u00e1lida, la aplicaci\u00f3n antepone una barra diagonal inicial, resultando en un encabezado 'Location' que contiene la URL, y los navegadores modernos interpretan la secuencia '/\\' como '//', trat\u00e1ndola como una URL relativa al protocolo y redirigiendo al usuario al dominio controlado por el atacante. Adem\u00e1s, la respuesta carece del encabezado 'Vary: X-Forwarded-Prefix', permitiendo que la redirecci\u00f3n maliciosa se almacene en cach\u00e9s intermedias (Envenenamiento de Cach\u00e9 Web). Las versiones 22.0.0-next.2, 21.2.3 y 20.3.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado 'X-Forwarded-Prefix' en su 'server.ts' antes de que el motor de Angular procese la solicitud."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}