{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "22.0.0-next.0" }, { "fixed": "22.0.0-next.2" } ] }, "events": [ { "introduced": "93b1debc57ff7298be616469cdefe94f215c43be" }, { "fixed": "110a2278dc67f92f90a2535ea2616e6d26989ddf" } ], "repo": "https://github.com/angular/angular-cli", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "21.0.0-next.0" }, { "fixed": "21.2.3" } ] }, "events": [ { "introduced": "2c99210e47b22342fea48e86bc61e8ba27fafb63" }, { "fixed": "ec8a04b9513cbabf7412ac20b7fdbab2e9faa166" } ], "repo": "https://github.com/angular/angular-cli", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "20.0.0-next.0" }, { "fixed": "20.3.21" } ] }, "events": [ { "introduced": "896d98a31326d88acc3b8ddb80f9de34a71bf3a0" }, { "fixed": "34d524549b68912f8ebe4e656a342b797161d232" } ], "repo": "https://github.com/angular/angular-cli", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-601" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33397.json" }, "details": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.", "id": "CVE-2026-33397", "modified": "2026-04-01T23:10:17.611634947Z", "published": "2026-03-26T13:46:16.145Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33397.json" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj" }, { "type": "FIX", "url": "https://github.com/angular/angular-cli/pull/32771" }, { "type": "ADVISORY", "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33397" } ], "related": [ "GHSA-xh43-g2fq-wjrj", "GHSA-vfx2-hv2g-xj5f" ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "type": "CVSS_V4" } ], "summary": "Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass" }