Description
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
Published: 2026-03-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling malicious navigation and potential web cache poisoning
Action: Apply Patch
AI Analysis

Impact

A flaw in Angular SSR’s validation of the X-Forwarded-Prefix header allows an attacker to inject a single backslash that is interpreted as a forward slash by the framework, causing a protocol-relative URL to appear in the Location header. This redirects users to an attacker‑controlled domain. Because the response lacks a Vary header for the X-Forwarded-Prefix header, the malicious redirect can be stored in intermediate caches, expanding the reach of the attack through web cache poisoning.

Affected Systems

Angular CLI applications built with the 22.x branch before 22.0.0-next.2, the 21.x branch before 21.2.3, and the 20.x branch before 20.3.21 are vulnerable. Upgrading to 22.0.0-next.2, 21.2.3, or 20.3.21 respectively resolves the issue.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate to high risk. Direct exploitation requires control of the X-Forwarded-Prefix header, which is typically possible only when the SSR application is exposed behind a proxy or load balancer. The likelihood of exploitation is not quantified in the available data. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the combination of an open redirect and cache poisoning increases its potential impact.

Generated by OpenCVE AI on March 26, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Angular CLI to the patched versions (22.0.0-next.2, 21.2.3, or 20.3.21).
  • If an update cannot be performed immediately, sanitize or remove the X-Forwarded-Prefix header in server.ts before the request reaches the Angular engine.

Generated by OpenCVE AI on March 26, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vfx2-hv2g-xj5f Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
Title Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Angular Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T13:46:16.145Z

Reserved: 2026-03-19T17:02:34.169Z

Link: CVE-2026-33397

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T15:16:38.533

Modified: 2026-03-26T15:16:38.533

Link: CVE-2026-33397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:41Z

Weaknesses