CVE-2026-33397
Open Redirect in Angular SSR via X-Forwarded-Prefix Header
Publication date: 2026-03-26
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angular | angular_cli | From 20.0.0 (inc) to 20.3.21 (exc) |
| angular | angular_cli | From 21.0.0 (inc) to 21.2.3 (exc) |
| angular | angular_cli | 22.0.0 |
| angular | angular_cli | 22.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an Open Redirect issue in Angular SSR that can lead to large-scale phishing attacks and SEO hijacking by redirecting users to attacker-controlled domains. This can harm the reputation and trustworthiness of legitimate sites.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the potential for phishing attacks and malicious redirects could indirectly affect compliance by exposing users to security risks and potentially unauthorized data exposure or misuse.
Organizations subject to regulations requiring protection of user data and secure handling of web traffic might need to address this vulnerability promptly to avoid risks related to user trust, data integrity, and security controls mandated by such standards.
Can you explain this vulnerability to me?
CVE-2026-33397 is an Open Redirect vulnerability in the Angular Server-Side Rendering (SSR) package, specifically in versions prior to certain patched releases on the 20.x, 21.x, and 22.x branches. The vulnerability arises because the internal validation logic intended to block malicious URL prefixes fails to detect a single backslash (\) used as a bypass.
When an Angular SSR application is deployed behind a proxy that forwards the X-Forwarded-Prefix header, an attacker can supply a value starting with a single backslash. The application prepends a forward slash, resulting in a Location header like /\evil.com. Modern browsers interpret the sequence /\ as //, treating it as a protocol-relative URL, which causes the user to be redirected to an attacker-controlled domain.
Additionally, the response does not include the Vary: X-Forwarded-Prefix header, which allows the malicious redirect to be cached by intermediate proxies, leading to Web Cache Poisoning.
The vulnerability is a result of an incomplete fix for a previous similar vulnerability (CVE-2026-27738) and is classified under CWE-601 (URL Redirection to Untrusted Site).
How can this vulnerability impact me? :
This vulnerability can lead to large-scale phishing attacks by redirecting users from a legitimate Angular SSR application to attacker-controlled domains without their knowledge.
Because the malicious redirect can be cached by intermediate proxies due to the missing Vary: X-Forwarded-Prefix header, it can cause Web Cache Poisoning, which may result in persistent malicious redirects affecting many users.
SEO hijacking is another impact, where search engines may index the malicious redirects, potentially harming the reputation and trustworthiness of the legitimate site by associating it with malicious domains or even delisting it.
The trusted origin of the domain reduces suspicion from users and security tools, increasing the effectiveness of phishing and other social engineering attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests and responses involving the X-Forwarded-Prefix header, especially looking for values starting with a single backslash (\) or multiple slashes (///). Such requests may lead to redirects to attacker-controlled domains.
To detect potential exploitation attempts on your system, you can inspect logs or capture traffic to identify suspicious X-Forwarded-Prefix header values.
- Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the X-Forwarded-Prefix header with suspicious values.
- Example tcpdump command to capture HTTP headers containing X-Forwarded-Prefix: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X-Forwarded-Prefix'
- Search your web server or application logs for entries where the X-Forwarded-Prefix header starts with a backslash (\) or multiple slashes (///).
Additionally, review redirect responses (HTTP 3xx) for Location headers containing suspicious URLs starting with /\ or // sequences.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves sanitizing the X-Forwarded-Prefix header in your server code before Angular SSR processes the request.
Specifically, remove all leading forward slashes (/) and backslashes (\) from the X-Forwarded-Prefix header value and replace them with a single forward slash.
- Apply the following middleware snippet in your server.ts or equivalent server entry point:
- ```javascript app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[\/\\]+/, '/'); } next(); }); ```
Additionally, upgrade to the patched versions of @angular/ssr: 20.3.21, 21.2.3, or 22.0.0-next.2 as soon as possible.
Ensure that your responses include the Vary: X-Forwarded-Prefix header to prevent malicious redirects from being cached by intermediate proxies.