CVE-2026-33397: Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

Published Mar 19, 2026
·
Updated

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

- An attacker provides a value starting with a single backslash (e.g., \evil.com). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a Location header containing /\evil.com. - Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

- Scale: A single request can poison a high-traffic route, impacting all users until the cache expires. - SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

- 22.0.0-next.2 - 21.2.3 - 20.3.21

Workarounds Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

ts app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/'); } next(); });

References

- Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738

Other sources

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass. When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a Location header containing the URL, and modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request.

MITRE

Affected Software

7 affected componentsFixes available
npm/@angular/ssr>=20.0.0-next.0<20.3.21
20.3.21
npm/@angular/ssr>=21.0.0-next.0<21.2.3
21.2.3
npm/@angular/ssr>=22.0.0-next.0<22.0.0-next.2
22.0.0-next.2
angular Angular Cli Node.js>=20.0.0<20.3.21
angular Angular Cli Node.js>=21.0.0<21.2.3
angular Angular Cli Node.js=22.0.0-next0
angular Angular Cli Node.js=22.0.0-next1

Remediation

Patch Available

https://github.com/angular/angular-cli/pull/32771

Event History

Mar 19, 2026
Advisory Published
via GitHub·09:22 PM
Data Sourced
via GitHub·09:22 PM
DescriptionWeaknessAffected Software
Mar 26, 2026
CVE Published
via MITRE·01:46 PM
Data Sourced
via MITRE·01:46 PM
DescriptionWeakness
Data Sourced
via NVD·03:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-33397?

CVE-2026-33397 is classified as a medium severity vulnerability due to the potential for open redirects.

2

How do I fix CVE-2026-33397?

To remediate CVE-2026-33397, update to version 20.3.21, 21.2.3, or 22.0.0-next.2 of the @angular/ssr package.

3

What system configurations are affected by CVE-2026-33397?

CVE-2026-33397 affects versions of the @angular/ssr package prior to the specified remedial versions.

4

What type of vulnerability is CVE-2026-33397?

CVE-2026-33397 is an open redirect vulnerability that can be exploited if not properly addressed.

5

What is the cause of CVE-2026-33397?

The vulnerability is caused by an incomplete fix that fails to account for a single backslash bypass in the validation logic.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203