Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-g957-mzhx-4fgx
Vulnerability ID VCID-g957-mzhx-4fgx
Aliases CVE-2026-33397
GHSA-vfx2-hv2g-xj5f
Summary Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header: - An attacker provides a value starting with a single backslash (e.g., `\evil.com`). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a `Location` header containing `/\evil.com`. - Modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). ### Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking: - **Scale**: A single request can poison a high-traffic route, impacting all users until the cache expires. - **SEO Poisoning**: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - **Trust**: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious. ### Patches - 22.0.0-next.2 - 21.2.3 - 20.3.21 ### Workarounds Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request: ```ts app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/'); } next(); }); ``` ### References - Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-33397
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-33397
cvssv3.1 6.1 https://github.com/advisories/GHSA-xh43-g2fq-wjrj
cvssv4 6.9 https://github.com/advisories/GHSA-xh43-g2fq-wjrj
generic_textual MODERATE https://github.com/advisories/GHSA-xh43-g2fq-wjrj
ssvc Track https://github.com/advisories/GHSA-xh43-g2fq-wjrj
cvssv3.1 6.1 https://github.com/angular/angular-cli
cvssv4 6.9 https://github.com/angular/angular-cli
generic_textual MODERATE https://github.com/angular/angular-cli
cvssv3.1 6.1 https://github.com/angular/angular-cli/pull/32771
cvssv4 6.9 https://github.com/angular/angular-cli/pull/32771
generic_textual MODERATE https://github.com/angular/angular-cli/pull/32771
ssvc Track https://github.com/angular/angular-cli/pull/32771
cvssv3.1 6.1 https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
cvssv4 6.9 https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
generic_textual MODERATE https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
ssvc Track https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2026-33397
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-33397
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-33397
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33397
https://github.com/angular/angular-cli
https://github.com/angular/angular-cli/pull/32771
https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
https://nvd.nist.gov/vuln/detail/CVE-2026-33397
GHSA-vfx2-hv2g-xj5f https://github.com/advisories/GHSA-vfx2-hv2g-xj5f
GHSA-xh43-g2fq-wjrj https://github.com/advisories/GHSA-xh43-g2fq-wjrj
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-xh43-g2fq-wjrj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/advisories/GHSA-xh43-g2fq-wjrj
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T13:54:22Z/ Found at https://github.com/advisories/GHSA-xh43-g2fq-wjrj
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/angular/angular-cli
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/angular/angular-cli/pull/32771
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli/pull/32771
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T13:54:22Z/ Found at https://github.com/angular/angular-cli/pull/32771
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T13:54:22Z/ Found at https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33397
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33397
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01636
EPSS Score 0.00012
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:57:37.403546+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfx2-hv2g-xj5f/GHSA-vfx2-hv2g-xj5f.json 38.6.0