Vulnerability-Lookup

CVE-2026-33397 (GCVE-0-2026-33397)

Vulnerability from cvelistv5 – Published: 2026-03-26 13:46 – Updated: 2026-03-30 14:56

Title

Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

Summary

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/angular/angular-cli/security/a…	x_refsource_CONFIRM
	https://github.com/angular/angular-cli/pull/32771	x_refsource_MISC
	https://github.com/advisories/GHSA-xh43-g2fq-wjrj	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	angular	angular-cli	Affected: >= 22.0.0-next.0, < 22.0.0-next.2 Affected: >= 21.0.0-next.0, < 21.2.3 Affected: >= 20.0.0-next.0, < 20.3.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33397",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T13:54:22.310595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T14:56:05.822Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "angular-cli",
          "vendor": "angular",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0-next.0, \u003c 21.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0-next.0, \u003c 20.3.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T13:46:16.145Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"
        },
        {
          "name": "https://github.com/angular/angular-cli/pull/32771",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/angular/angular-cli/pull/32771"
        },
        {
          "name": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj"
        }
      ],
      "source": {
        "advisory": "GHSA-vfx2-hv2g-xj5f",
        "discovery": "UNKNOWN"
      },
      "title": "Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33397",
    "datePublished": "2026-03-26T13:46:16.145Z",
    "dateReserved": "2026-03-19T17:02:34.169Z",
    "dateUpdated": "2026-03-30T14:56:05.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33397",
      "date": "2026-04-16",
      "epss": "0.00051",
      "percentile": "0.15691"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33397\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T15:16:38.533\",\"lastModified\":\"2026-03-30T13:26:50.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.\"},{\"lang\":\"es\",\"value\":\"El Angular SSR es una herramienta de renderizado de ascenso del servidor para aplicaciones Angular. Las versiones de la rama 22.x anteriores a la 22.0.0-next.2, la rama 21.x anteriores a la 21.2.3 y la rama 20.x anteriores a la 20.3.21 tienen una vulnerabilidad de redirecci\u00f3n abierta en \u0027@angular/ssr\u0027 debido a una correcci\u00f3n incompleta para CVE-2026-27738. Aunque la correcci\u00f3n original bloque\u00f3 con \u00e9xito m\u00faltiples barras diagonales iniciales (p. ej., \u0027///\u0027), la l\u00f3gica de validaci\u00f3n interna no tiene en cuenta un bypass de una sola barra invertida (\u0027\\\\\u0027). Cuando una aplicaci\u00f3n Angular SSR se despliega detr\u00e1s de un proxy que pasa el encabezado \u0027X-Forwarded-Prefix\u0027, un atacante proporciona un valor que comienza con una sola barra invertida, la validaci\u00f3n interna no marc\u00f3 la \u00fanica barra invertida como inv\u00e1lida, la aplicaci\u00f3n antepone una barra diagonal inicial, resultando en un encabezado \u0027Location\u0027 que contiene la URL, y los navegadores modernos interpretan la secuencia \u0027/\\\\\u0027 como \u0027//\u0027, trat\u00e1ndola como una URL relativa al protocolo y redirigiendo al usuario al dominio controlado por el atacante. Adem\u00e1s, la respuesta carece del encabezado \u0027Vary: X-Forwarded-Prefix\u0027, permitiendo que la redirecci\u00f3n maliciosa se almacene en cach\u00e9s intermedias (Envenenamiento de Cach\u00e9 Web). Las versiones 22.0.0-next.2, 21.2.3 y 20.3.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado \u0027X-Forwarded-Prefix\u0027 en su \u0027server.ts\u0027 antes de que el motor de Angular procese la solicitud.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-xh43-g2fq-wjrj\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/angular/angular-cli/pull/32771\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33397\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T13:54:22.310595Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T13:54:27.266Z\"}}], \"cna\": {\"title\": \"Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass\", \"source\": {\"advisory\": \"GHSA-vfx2-hv2g-xj5f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"angular\", \"product\": \"angular-cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 22.0.0-next.0, \u003c 22.0.0-next.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0-next.0, \u003c 21.2.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0-next.0, \u003c 20.3.21\"}]}], \"references\": [{\"url\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f\", \"name\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/angular/angular-cli/pull/32771\", \"name\": \"https://github.com/angular/angular-cli/pull/32771\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/advisories/GHSA-xh43-g2fq-wjrj\", \"name\": \"https://github.com/advisories/GHSA-xh43-g2fq-wjrj\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T13:46:16.145Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33397\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T14:56:05.822Z\", \"dateReserved\": \"2026-03-19T17:02:34.169Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T13:46:16.145Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-VFX2-HV2G-XJ5F

Vulnerability from github – Published: 2026-03-19 21:22 – Updated: 2026-03-27 20:49

Summary

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

Details

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

An attacker provides a value starting with a single backslash (e.g., \evil.com).
The internal validation failed to flag the single backslash as invalid.
The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

22.0.0-next.2
21.2.3
20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

Fix: https://github.com/angular/angular-cli/pull/32771
Original CVE: CVE-2026-27738

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/ssr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T21:22:52Z",
    "nvd_published_at": "2026-03-26T15:16:38Z",
    "severity": "MODERATE"
  },
  "details": "An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass.\n\nWhen an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header:\n\n- An attacker provides a value starting with a single backslash (e.g., `\\evil.com`).\n- The internal validation failed to flag the single backslash as invalid.\n- The application prepends a leading forward slash, resulting in a `Location` header containing `/\\evil.com`.\n- Modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.\n\nFurthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).\n\n### Impact\nThis vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:\n\n- **Scale**: A single request can poison a high-traffic route, impacting all users until the cache expires.\n- **SEO Poisoning**: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.\n- **Trust**: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.\n\n### Patches\n\n- 22.0.0-next.2\n- 21.2.3\n- 20.3.21\n\n### Workarounds\nUntil the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request:\n\n```ts\napp.use((req, res, next) =\u003e {\n  const prefix = req.headers[\u0027x-forwarded-prefix\u0027];\n  if (typeof prefix === \u0027string\u0027) {\n    // Sanitize by removing all leading forward and backward slashes\n    req.headers[\u0027x-forwarded-prefix\u0027] = prefix.trim().replace(/^[/\\\\]+/, \u0027/\u0027);\n  }\n  next();\n});\n```\n\n\n### References\n\n- Fix: https://github.com/angular/angular-cli/pull/32771\n- Original CVE: CVE-2026-27738",
  "id": "GHSA-vfx2-hv2g-xj5f",
  "modified": "2026-03-27T20:49:01Z",
  "published": "2026-03-19T21:22:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33397"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular-cli/pull/32771"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR"
}

FKIE_CVE-2026-33397

Vulnerability from fkie_nvd - Published: 2026-03-26 15:16 - Updated: 2026-03-30 13:26

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/advisories/GHSA-xh43-g2fq-wjrj
	security-advisories@github.com	https://github.com/angular/angular-cli/pull/32771
	security-advisories@github.com	https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."
    },
    {
      "lang": "es",
      "value": "El Angular SSR es una herramienta de renderizado de ascenso del servidor para aplicaciones Angular. Las versiones de la rama 22.x anteriores a la 22.0.0-next.2, la rama 21.x anteriores a la 21.2.3 y la rama 20.x anteriores a la 20.3.21 tienen una vulnerabilidad de redirecci\u00f3n abierta en \u0027@angular/ssr\u0027 debido a una correcci\u00f3n incompleta para CVE-2026-27738. Aunque la correcci\u00f3n original bloque\u00f3 con \u00e9xito m\u00faltiples barras diagonales iniciales (p. ej., \u0027///\u0027), la l\u00f3gica de validaci\u00f3n interna no tiene en cuenta un bypass de una sola barra invertida (\u0027\\\u0027). Cuando una aplicaci\u00f3n Angular SSR se despliega detr\u00e1s de un proxy que pasa el encabezado \u0027X-Forwarded-Prefix\u0027, un atacante proporciona un valor que comienza con una sola barra invertida, la validaci\u00f3n interna no marc\u00f3 la \u00fanica barra invertida como inv\u00e1lida, la aplicaci\u00f3n antepone una barra diagonal inicial, resultando en un encabezado \u0027Location\u0027 que contiene la URL, y los navegadores modernos interpretan la secuencia \u0027/\\\u0027 como \u0027//\u0027, trat\u00e1ndola como una URL relativa al protocolo y redirigiendo al usuario al dominio controlado por el atacante. Adem\u00e1s, la respuesta carece del encabezado \u0027Vary: X-Forwarded-Prefix\u0027, permitiendo que la redirecci\u00f3n maliciosa se almacene en cach\u00e9s intermedias (Envenenamiento de Cach\u00e9 Web). Las versiones 22.0.0-next.2, 21.2.3 y 20.3.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado \u0027X-Forwarded-Prefix\u0027 en su \u0027server.ts\u0027 antes de que el motor de Angular procese la solicitud."
    }
  ],
  "id": "CVE-2026-33397",
  "lastModified": "2026-03-30T13:26:50.827",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T15:16:38.533",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/pull/32771"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33397 (GCVE-0-2026-33397)

GHSA-VFX2-HV2G-XJ5F

Impact

Patches

Workarounds

References

FKIE_CVE-2026-33397

Tags

Sightings

Nomenclature