CVE-2026-33397

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.0-next.2 Angular versions prior to 21.2.3 Angular versions prior to 20.3.21

Description An Open Redirect issue exists in the Angular SSR tool due to an incomplete fix for a previously identified problem. The internal validation logic does not properly handle a single backslash (``) in the X-Forwarded-Prefix header, allowing attackers to bypass security measures. When deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with a single backslash. The application then prepends a forward slash, resulting in a Location header that browsers interpret as a protocol-relative URL, redirecting users to an attacker-controlled domain. The absence of the Vary: X-Forwarded-Prefix header in the response allows malicious redirects to be cached, potentially leading to Web Cache Poisoning. This could enable attackers to conduct phishing attacks and SEO hijacking, impacting a large number of users and potentially causing search engines to index malicious redirects. The vulnerability affects applications using the @angular/ssr package. The X-Forwarded-Prefix header is used to determine the base URL for the application.

Recommendations Versions prior to 22.0.0-next.2: Apply the patch by updating to version 22.0.0-next.2 or later. Versions prior to 21.2.3: Apply the patch by updating to version 21.2.3 or later. Versions prior to 20.3.21: Apply the patch by updating to version 20.3.21 or later. As a temporary workaround, sanitize the X-Forwarded-Prefix header in your server.ts file before the Angular engine processes the request by removing all leading forward and backward slashes.