The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
PUBLISHED5.2CWE-601
Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass
Problem type
Affected products
angular
angular-cli
>= 22.0.0-next.0, < 22.0.0-next.2 - AFFECTED
>= 21.0.0-next.0, < 21.2.3 - AFFECTED
>= 20.0.0-next.0, < 20.3.21 - AFFECTED
References
https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
https://github.com/angular/angular-cli/pull/32771
https://github.com/angular/angular-cli/pull/32771
https://github.com/advisories/GHSA-xh43-g2fq-wjrj
https://github.com/advisories/GHSA-xh43-g2fq-wjrj
GitHub Security Advisories
GHSA-vfx2-hv2g-xj5f
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR
https://github.com/advisories/GHSA-vfx2-hv2g-xj5fAn Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.
When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:
- An attacker provides a value starting with a single backslash (e.g.,
\evil.com). - The internal validation failed to flag the single backslash as invalid.
- The application prepends a leading forward slash, resulting in a
Locationheader containing/\evil.com. - Modern browsers interpret the
/\sequence as//, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.
Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).
Impact
This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:
- Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
- SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
- Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.
Patches
- 22.0.0-next.2
- 21.2.3
- 20.3.21
Workarounds
Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:
app.use((req, res, next) => {
const prefix = req.headers['x-forwarded-prefix'];
if (typeof prefix === 'string') {
// Sanitize by removing all leading forward and backward slashes
req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
}
next();
});
References
- Fix: https://github.com/angular/angular-cli/pull/32771
- Original CVE: CVE-2026-27738
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33397Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33397",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-26T13:46:16.145Z",
"dateReserved": "2026-03-19T17:02:34.169Z",
"datePublished": "2026-03-26T13:46:16.145Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-26T13:46:16.145Z"
},
"title": "Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass",
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."
}
],
"affected": [
{
"vendor": "angular",
"product": "angular-cli",
"versions": [
{
"version": ">= 22.0.0-next.0, < 22.0.0-next.2",
"status": "affected"
},
{
"version": ">= 21.0.0-next.0, < 21.2.3",
"status": "affected"
},
{
"version": ">= 20.0.0-next.0, < 20.3.21",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
"cweId": "CWE-601",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f",
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/angular/angular-cli/pull/32771",
"name": "https://github.com/angular/angular-cli/pull/32771",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj",
"name": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}