{"id":"CVE-2026-33397","summary":"Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass","details":"The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.","aliases":["GHSA-vfx2-hv2g-xj5f"],"modified":"2026-04-10T05:42:46.036507Z","published":"2026-03-26T13:46:16.145Z","related":["GHSA-vfx2-hv2g-xj5f","GHSA-xh43-g2fq-wjrj"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33397.json","cwe_ids":["CWE-601"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33397.json"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xh43-g2fq-wjrj"},{"type":"FIX","url":"https://github.com/angular/angular-cli/pull/32771"},{"type":"ADVISORY","url":"https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33397"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/angular/angular-cli","events":[{"introduced":"93b1debc57ff7298be616469cdefe94f215c43be"},{"fixed":"110a2278dc67f92f90a2535ea2616e6d26989ddf"}],"database_specific":{"versions":[{"introduced":"22.0.0-next.0"},{"fixed":"22.0.0-next.2"}]}},{"type":"GIT","repo":"https://github.com/angular/angular-cli","events":[{"introduced":"2c99210e47b22342fea48e86bc61e8ba27fafb63"},{"fixed":"ec8a04b9513cbabf7412ac20b7fdbab2e9faa166"}],"database_specific":{"versions":[{"introduced":"21.0.0-next.0"},{"fixed":"21.2.3"}]}},{"type":"GIT","repo":"https://github.com/angular/angular-cli","events":[{"introduced":"896d98a31326d88acc3b8ddb80f9de34a71bf3a0"},{"fixed":"34d524549b68912f8ebe4e656a342b797161d232"}],"database_specific":{"versions":[{"introduced":"20.0.0-next.0"},{"fixed":"20.3.21"}]}}],"versions":["20.0.0-next.0","20.0.0-next.1","20.0.0-next.2","20.0.0-next.3","20.0.0-next.4","20.0.0-next.5","20.0.0-next.6","20.0.0-next.7","20.0.0-next.8","20.1.0-next.0","20.1.0-next.1","20.1.0-next.2","20.1.0-next.3","20.2.0","20.2.0-next.0","20.2.0-next.1","20.2.0-next.2","20.2.0-next.3","20.2.0-rc.0","20.2.0-rc.1","20.2.1","20.2.2","20.3.0","20.3.0-rc.0","20.3.1","20.3.10","20.3.11","20.3.12","20.3.13","20.3.2","20.3.3","20.3.4","20.3.5","20.3.6","20.3.7","20.3.8","20.3.9","21.0.0-next.0","21.0.0-next.1","21.0.0-next.2","21.0.0-next.3","21.0.0-next.4","21.0.0-next.5","21.0.0-next.6","21.0.0-next.7","21.0.0-next.8","21.1.0-next.0","21.1.0-next.1","v20.3.14","v20.3.15","v20.3.16","v20.3.17","v20.3.18","v20.3.19","v20.3.20","v21.1.0-next.2","v21.1.0-next.3","v21.2.0","v21.2.0-next.0","v21.2.0-next.1","v21.2.0-next.2","v21.2.0-rc.0","v21.2.0-rc.1","v21.2.0-rc.2","v21.2.1","v21.2.2","v22.0.0-next.0","v22.0.0-next.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33397.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}