CVE-2026-33397

Description

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:angular:angular_cli:*:-:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:* - VULNERABLE

Angular SSR 22.x < 22.0.0-next.2

Angular SSR 21.x < 21.2.3

Angular SSR 20.x < 20.3.21

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

GET / HTTP/1.1
Host: victim.com
X-Forwarded-Prefix: \evil.com

# Explanation:
# The server validates X-Forwarded-Prefix but misses the single backslash.
# It prepends a forward slash, resulting in the Location header: /\evil.com
# Browsers parse /\ as //, redirecting to //evil.com.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33397
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33397
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33397/
[4] VulDB https://vuldb.com/cve/CVE-2026-33397
[5] https://github.com/advisories/GHSA-xh43-g2fq-wjrj
[6] https://github.com/angular/angular-cli/pull/32771
[7] https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33397", "sourceIdentifier": "[email protected]", "published": "2026-03-26T15:16:38.533", "lastModified": "2026-04-30T16:51:51.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."}, {"lang": "es", "value": "El Angular SSR es una herramienta de renderizado de ascenso del servidor para aplicaciones Angular. Las versiones de la rama 22.x anteriores a la 22.0.0-next.2, la rama 21.x anteriores a la 21.2.3 y la rama 20.x anteriores a la 20.3.21 tienen una vulnerabilidad de redirección abierta en '@angular/ssr' debido a una corrección incompleta para CVE-2026-27738. Aunque la corrección original bloqueó con éxito múltiples barras diagonales iniciales (p. ej., '///'), la lógica de validación interna no tiene en cuenta un bypass de una sola barra invertida ('\\'). Cuando una aplicación Angular SSR se despliega detrás de un proxy que pasa el encabezado 'X-Forwarded-Prefix', un atacante proporciona un valor que comienza con una sola barra invertida, la validación interna no marcó la única barra invertida como inválida, la aplicación antepone una barra diagonal inicial, resultando en un encabezado 'Location' que contiene la URL, y los navegadores modernos interpretan la secuencia '/\\' como '//', tratándola como una URL relativa al protocolo y redirigiendo al usuario al dominio controlado por el atacante. Además, la respuesta carece del encabezado 'Vary: X-Forwarded-Prefix', permitiendo que la redirección maliciosa se almacene en cachés intermedias (Envenenamiento de Caché Web). Las versiones 22.0.0-next.2, 21.2.3 y 20.3.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado 'X-Forwarded-Prefix' en su 'server.ts' antes de que el motor de Angular procese la solicitud."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "N ... (truncated)