CVEFinder.io

CVE-2026-33397

🔶 medium
🔍 Scan for this CVE
Summary

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is de

Description

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.

CVSS Score
6.1
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-03-26
First Seen: 2026-03-27
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 38.8% of all 329,456 vulnerabilities in our database.

#201,538
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 30, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-04-30
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-601

📦 Affected Products 3

Vendor Product Status Affected Versions
angular angular_cli Affected
≥ 20.0.0 < 20.3.21
angular angular_cli Affected
≥ 21.0.0 < 21.2.3
angular angular_cli Affected
v22.0.0

🔗 References 3

https://github.com/advisories/GHSA-xh43-g2fq-wjrj
Not Applicable
https://github.com/angular/angular-cli/pull/32771
Issue Tracking Patch
https://github.com/angular/angular-cli/security/advi...
Vendor Advisory

🔗 Related CVEs 2

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44437 🔶 medium 6.1 0.0 The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25,... 2026-05-13
CVE-2026-32635 ⛔ critical 9.0 0.1 Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other... 2026-03-16
These CVEs affect the same products