GHSA-vfx2-hv2g-xj5f

Source

https://github.com/advisories/GHSA-vfx2-hv2g-xj5f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfx2-hv2g-xj5f/GHSA-vfx2-hv2g-xj5f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vfx2-hv2g-xj5f

Aliases

CVE-2026-33397

Published

2026-03-19T21:22:52Z

Modified

2026-03-27T21:02:43.417565Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

Details

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

An attacker provides a value starting with a single backslash (e.g., \evil.com).
The internal validation failed to flag the single backslash as invalid.
The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

22.0.0-next.2
21.2.3
20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

Fix: https://github.com/angular/angular-cli/pull/32771
Original CVE: CVE-2026-27738

Database specific

{
    "nvd_published_at": "2026-03-26T15:16:38Z",
    "github_reviewed_at": "2026-03-19T21:22:52Z",
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / @angular/ssr

Package

Name: @angular/ssr; View open source insights on deps.dev
Purl: pkg:npm/%40angular/ssr

Affected ranges

Type: SEMVER
Events: Introduced

22.0.0-next.0

Fixed

22.0.0-next.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfx2-hv2g-xj5f/GHSA-vfx2-hv2g-xj5f.json"

npm / @angular/ssr

Package

Name: @angular/ssr; View open source insights on deps.dev
Purl: pkg:npm/%40angular/ssr

Affected ranges

Type: SEMVER
Events: Introduced

21.0.0-next.0

Fixed

21.2.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfx2-hv2g-xj5f/GHSA-vfx2-hv2g-xj5f.json"

npm / @angular/ssr

Package

Name: @angular/ssr; View open source insights on deps.dev
Purl: pkg:npm/%40angular/ssr

Affected ranges

Type: SEMVER
Events: Introduced

20.0.0-next.0

Fixed

20.3.21

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfx2-hv2g-xj5f/GHSA-vfx2-hv2g-xj5f.json"