CVE-2026-33397: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in angular angular-cli
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
AI Analysis
Technical Summary
CVE-2026-33397 is a security vulnerability classified as an Open Redirect (CWE-601) in Angular's server-side rendering package (@angular/ssr), specifically affecting versions 22.x prior to 22.0.0-next.2, 21.x prior to 21.2.3, and 20.x prior to 20.3.21. This vulnerability stems from an incomplete fix for a previous similar issue (CVE-2026-27738). The core problem lies in the validation logic of the X-Forwarded-Prefix HTTP header, which is commonly used when Angular SSR applications are deployed behind proxies. While the prior fix blocked multiple leading forward slashes (///), it failed to consider a single backslash (\) as a bypass vector. When an attacker supplies an X-Forwarded-Prefix header starting with a backslash, the Angular SSR engine prepends a forward slash, resulting in a Location header containing a URL with a /\ sequence. Modern browsers interpret this sequence as //, which is a protocol-relative URL, causing the browser to redirect users to a domain controlled by the attacker. This redirection occurs without requiring any user interaction or authentication, making it a straightforward attack vector. Moreover, the HTTP response does not include a Vary: X-Forwarded-Prefix header, which means that malicious redirect responses can be cached by intermediate proxies or CDNs, enabling web cache poisoning attacks that affect multiple users. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity, with network attack vector, low complexity, no privileges or user interaction needed, and limited scope. The issue has been patched in versions 22.0.0-next.2, 21.2.3, and 20.3.21. Until patches are applied, developers are advised to sanitize the X-Forwarded-Prefix header in their server.ts files before the Angular SSR engine processes the request, effectively blocking malicious input and preventing the redirect flaw.
Potential Impact
This vulnerability allows attackers to redirect users of Angular SSR applications to arbitrary, attacker-controlled websites without any user interaction or authentication. Such open redirects can be exploited in phishing campaigns, enabling attackers to craft URLs that appear legitimate but redirect victims to malicious sites for credential theft, malware distribution, or other social engineering attacks. The lack of the Vary: X-Forwarded-Prefix header exacerbates the risk by allowing malicious redirect responses to be cached by intermediate proxies or CDNs, potentially affecting a large number of users through web cache poisoning. This can lead to widespread exposure to malicious redirects even for users who do not directly interact with the attacker. Organizations running Angular SSR applications behind proxies that use the X-Forwarded-Prefix header are particularly at risk. The vulnerability impacts confidentiality by facilitating phishing and credential theft, and availability could be indirectly affected if users lose trust or are blocked due to malicious redirects. Given the ease of exploitation over the network without privileges or user interaction, the threat is significant for web applications relying on vulnerable Angular SSR versions.
Mitigation Recommendations
1. Upgrade Angular SSR to the patched versions: 22.0.0-next.2 or later, 21.2.3 or later, and 20.3.21 or later as soon as possible. 2. Until upgrades are feasible, implement strict sanitization of the X-Forwarded-Prefix header in the server.ts file or equivalent server-side entry point. This includes rejecting or normalizing any header values starting with backslashes or other suspicious characters that could bypass validation. 3. Add the HTTP response header 'Vary: X-Forwarded-Prefix' to ensure that caches differentiate responses based on this header, preventing cache poisoning. 4. Employ web application firewalls (WAFs) or reverse proxies with rules to detect and block suspicious X-Forwarded-Prefix header values containing backslashes or malformed inputs. 5. Conduct thorough testing of SSR applications behind proxies to verify that redirects are properly validated and do not allow protocol-relative URLs. 6. Educate developers and DevOps teams about the risks of trusting proxy headers without validation, especially in SSR contexts. 7. Monitor logs for unusual redirect patterns or requests with suspicious X-Forwarded-Prefix headers to detect exploitation attempts early.
Affected Countries
United States, Germany, United Kingdom, France, India, Japan, South Korea, Australia, Canada, Netherlands
CVE-2026-33397: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in angular angular-cli
Description
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33397 is a security vulnerability classified as an Open Redirect (CWE-601) in Angular's server-side rendering package (@angular/ssr), specifically affecting versions 22.x prior to 22.0.0-next.2, 21.x prior to 21.2.3, and 20.x prior to 20.3.21. This vulnerability stems from an incomplete fix for a previous similar issue (CVE-2026-27738). The core problem lies in the validation logic of the X-Forwarded-Prefix HTTP header, which is commonly used when Angular SSR applications are deployed behind proxies. While the prior fix blocked multiple leading forward slashes (///), it failed to consider a single backslash (\) as a bypass vector. When an attacker supplies an X-Forwarded-Prefix header starting with a backslash, the Angular SSR engine prepends a forward slash, resulting in a Location header containing a URL with a /\ sequence. Modern browsers interpret this sequence as //, which is a protocol-relative URL, causing the browser to redirect users to a domain controlled by the attacker. This redirection occurs without requiring any user interaction or authentication, making it a straightforward attack vector. Moreover, the HTTP response does not include a Vary: X-Forwarded-Prefix header, which means that malicious redirect responses can be cached by intermediate proxies or CDNs, enabling web cache poisoning attacks that affect multiple users. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity, with network attack vector, low complexity, no privileges or user interaction needed, and limited scope. The issue has been patched in versions 22.0.0-next.2, 21.2.3, and 20.3.21. Until patches are applied, developers are advised to sanitize the X-Forwarded-Prefix header in their server.ts files before the Angular SSR engine processes the request, effectively blocking malicious input and preventing the redirect flaw.
Potential Impact
This vulnerability allows attackers to redirect users of Angular SSR applications to arbitrary, attacker-controlled websites without any user interaction or authentication. Such open redirects can be exploited in phishing campaigns, enabling attackers to craft URLs that appear legitimate but redirect victims to malicious sites for credential theft, malware distribution, or other social engineering attacks. The lack of the Vary: X-Forwarded-Prefix header exacerbates the risk by allowing malicious redirect responses to be cached by intermediate proxies or CDNs, potentially affecting a large number of users through web cache poisoning. This can lead to widespread exposure to malicious redirects even for users who do not directly interact with the attacker. Organizations running Angular SSR applications behind proxies that use the X-Forwarded-Prefix header are particularly at risk. The vulnerability impacts confidentiality by facilitating phishing and credential theft, and availability could be indirectly affected if users lose trust or are blocked due to malicious redirects. Given the ease of exploitation over the network without privileges or user interaction, the threat is significant for web applications relying on vulnerable Angular SSR versions.
Mitigation Recommendations
1. Upgrade Angular SSR to the patched versions: 22.0.0-next.2 or later, 21.2.3 or later, and 20.3.21 or later as soon as possible. 2. Until upgrades are feasible, implement strict sanitization of the X-Forwarded-Prefix header in the server.ts file or equivalent server-side entry point. This includes rejecting or normalizing any header values starting with backslashes or other suspicious characters that could bypass validation. 3. Add the HTTP response header 'Vary: X-Forwarded-Prefix' to ensure that caches differentiate responses based on this header, preventing cache poisoning. 4. Employ web application firewalls (WAFs) or reverse proxies with rules to detect and block suspicious X-Forwarded-Prefix header values containing backslashes or malformed inputs. 5. Conduct thorough testing of SSR applications behind proxies to verify that redirects are properly validated and do not allow protocol-relative URLs. 6. Educate developers and DevOps teams about the risks of trusting proxy headers without validation, especially in SSR contexts. 7. Monitor logs for unusual redirect patterns or requests with suspicious X-Forwarded-Prefix headers to detect exploitation attempts early.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T17:02:34.169Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c57a7f3c064ed76f9f9d3e
Added to database: 3/26/2026, 6:27:11 PM
Last enriched: 3/26/2026, 6:31:43 PM
Last updated: 3/27/2026, 5:26:10 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.