{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33397", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.169Z", "datePublished": "2026-03-26T13:46:16.145Z", "dateUpdated": "2026-03-30T14:56:05.822Z"}, "containers": {"cna": {"title": "Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"}, {"name": "https://github.com/angular/angular-cli/pull/32771", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular-cli/pull/32771"}, {"name": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj"}], "affected": [{"vendor": "angular", "product": "angular-cli", "versions": [{"version": ">= 22.0.0-next.0, < 22.0.0-next.2", "status": "affected"}, {"version": ">= 21.0.0-next.0, < 21.2.3", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:46:16.145Z"}, "descriptions": [{"lang": "en", "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."}], "source": {"advisory": "GHSA-vfx2-hv2g-xj5f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:54:22.310595Z", "id": "CVE-2026-33397", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:05.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33397", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:54:22.310595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:54:27.266Z"}}], "cna": {"title": "Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass", "source": {"advisory": "GHSA-vfx2-hv2g-xj5f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "angular", "product": "angular-cli", "versions": [{"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-next.2"}, {"status": "affected", "version": ">= 21.0.0-next.0, < 21.2.3"}, {"status": "affected", "version": ">= 20.0.0-next.0, < 20.3.21"}]}], "references": [{"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f", "name": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/angular/angular-cli/pull/32771", "name": "https://github.com/angular/angular-cli/pull/32771", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj", "name": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:46:16.145Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33397", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:56:05.822Z", "dateReserved": "2026-03-19T17:02:34.169Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T13:46:16.145Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:angular:angular_cli:*:-:*:*:*:node.js:*:*", "matchCriteriaId": "38155A4F-04D4-4EB4-B7B4-DC5BA37638C4", "versionEndExcluding": "20.3.21", "versionStartIncluding": "20.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:*:-:*:*:*:node.js:*:*", "matchCriteriaId": "386A3C02-930D-4B48-BFC9-16AB1A763DD5", "versionEndExcluding": "21.2.3", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:*", "matchCriteriaId": "1BD57930-760B-43CB-8BD1-25D79A7E60FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:*", "matchCriteriaId": "81D13997-DAC1-472B-93D2-8BF19ACC6BFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request."}, {"lang": "es", "value": "El Angular SSR es una herramienta de renderizado de ascenso del servidor para aplicaciones Angular. Las versiones de la rama 22.x anteriores a la 22.0.0-next.2, la rama 21.x anteriores a la 21.2.3 y la rama 20.x anteriores a la 20.3.21 tienen una vulnerabilidad de redirecci\u00f3n abierta en '@angular/ssr' debido a una correcci\u00f3n incompleta para CVE-2026-27738. Aunque la correcci\u00f3n original bloque\u00f3 con \u00e9xito m\u00faltiples barras diagonales iniciales (p. ej., '///'), la l\u00f3gica de validaci\u00f3n interna no tiene en cuenta un bypass de una sola barra invertida ('\\'). Cuando una aplicaci\u00f3n Angular SSR se despliega detr\u00e1s de un proxy que pasa el encabezado 'X-Forwarded-Prefix', un atacante proporciona un valor que comienza con una sola barra invertida, la validaci\u00f3n interna no marc\u00f3 la \u00fanica barra invertida como inv\u00e1lida, la aplicaci\u00f3n antepone una barra diagonal inicial, resultando en un encabezado 'Location' que contiene la URL, y los navegadores modernos interpretan la secuencia '/\\' como '//', trat\u00e1ndola como una URL relativa al protocolo y redirigiendo al usuario al dominio controlado por el atacante. Adem\u00e1s, la respuesta carece del encabezado 'Vary: X-Forwarded-Prefix', permitiendo que la redirecci\u00f3n maliciosa se almacene en cach\u00e9s intermedias (Envenenamiento de Cach\u00e9 Web). Las versiones 22.0.0-next.2, 21.2.3 y 20.3.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado 'X-Forwarded-Prefix' en su 'server.ts' antes de que el motor de Angular procese la solicitud."}], "id": "CVE-2026-33397", "lastModified": "2026-04-30T16:51:51.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T15:16:38.533", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/angular/angular-cli/pull/32771"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.0.0-next.0,22.0.0-next.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0-next.0,21.2.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0-next.0,20.3.21)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 88.0, "source": "matching"}]}, "original": {"product": "angular-cli", "source": "cna", "vendor": "angular"}, "product": "angular", "vendor": "angular"}], "analysis": {"en": {"generated_at": "2026-03-26T15:58:15.218676+00:00", "value": {"mitigation_remediation": ["Update Angular CLI to the patched versions (22.0.0-next.2, 21.2.3, or 20.3.21).", "If an update cannot be performed immediately, sanitize or remove the X-Forwarded-Prefix header in server.ts before the request reaches the Angular engine."], "summary": {"action": "Apply Patch", "impact": "Open Redirect enabling malicious navigation and potential web cache poisoning"}, "threat_synthesis": {"affected_systems": "Angular CLI applications built with the 22.x branch before 22.0.0-next.2, the 21.x branch before 21.2.3, and the 20.x branch before 20.3.21 are vulnerable. Upgrading to 22.0.0-next.2, 21.2.3, or 20.3.21 respectively resolves the issue.", "description_and_impact": "A flaw in Angular SSR\u2019s validation of the X-Forwarded-Prefix header allows an attacker to inject a single backslash that is interpreted as a forward slash by the framework, causing a protocol-relative URL to appear in the Location header. This redirects users to an attacker\u2011controlled domain. Because the response lacks a Vary header for the X-Forwarded-Prefix header, the malicious redirect can be stored in intermediate caches, expanding the reach of the attack through web cache poisoning.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates a moderate to high risk. Direct exploitation requires control of the X-Forwarded-Prefix header, which is typically possible only when the SSR application is exposed behind a proxy or load balancer. The likelihood of exploitation is not quantified in the available data. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the combination of an open redirect and cache poisoning increases its potential impact."}}}}, "created": "2026-03-27T08:34:14.139100+00:00", "updated": "2026-03-27T09:26:41.488240+00:00", "vendors": ["angular", "angular$PRODUCT$angular"]}