CVE-2026-33397 Overview
CVE-2026-33397 is an Open Redirect vulnerability in @angular/ssr, the server-side rendering tool for Angular applications. This vulnerability represents an incomplete fix for the previously disclosed CVE-2026-27738. While the original patch successfully blocked multiple leading slashes (e.g., ///), the validation logic fails to account for a single backslash (\) bypass, allowing attackers to redirect users to malicious domains and potentially poison web caches.
Critical Impact
Attackers can exploit this vulnerability to redirect users to attacker-controlled domains and poison intermediate web caches, potentially affecting all users accessing cached responses through the compromised proxy.
Affected Products
- Angular SSR 22.x branch versions prior to 22.0.0-next.2
- Angular SSR 21.x branch versions prior to 21.2.3
- Angular SSR 20.x branch versions prior to 20.3.21
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33397 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33397
Vulnerability Analysis
This Open Redirect vulnerability occurs due to insufficient input validation in the @angular/ssr package when processing the X-Forwarded-Prefix header. The vulnerability is classified under CWE-601 (URL Redirection to Untrusted Site), which describes scenarios where web applications redirect users to external sites without proper validation of the destination URL.
The core issue stems from an incomplete security fix for the earlier CVE-2026-27738. The original mitigation correctly blocked redirect attempts using multiple consecutive forward slashes (e.g., ///example.com), but the validation logic overlooked a critical edge case involving a single backslash character.
Root Cause
The root cause lies in the internal validation logic within @angular/ssr that processes the X-Forwarded-Prefix header. The validation function was designed to detect and block protocol-relative URLs by checking for multiple leading slashes. However, it fails to recognize that a single backslash (\) can also be leveraged to construct a protocol-relative URL when combined with the application's automatic prefix handling.
When the application processes a malicious X-Forwarded-Prefix value starting with a single backslash, it prepends a leading forward slash, resulting in a /\ sequence in the Location header. Modern browsers interpret this /\ pattern as equivalent to //, treating the subsequent path as a protocol-relative URL pointing to an external domain.
Attack Vector
The attack exploits Angular SSR applications deployed behind reverse proxies that pass the X-Forwarded-Prefix header. An attacker can craft a malicious request containing a single backslash followed by their controlled domain in the X-Forwarded-Prefix header.
The exploitation flow proceeds as follows: The attacker sends a request with a header value like X-Forwarded-Prefix: \attacker.com. The internal validation fails to flag the single backslash as invalid. The application prepends a leading forward slash, generating a Location header containing /\attacker.com. The browser interprets /\ as //, treating it as a protocol-relative URL and redirecting the user to //attacker.com.
Furthermore, because the response lacks the Vary: X-Forwarded-Prefix header, intermediate caching proxies may store the malicious redirect response. This enables Web Cache Poisoning, where subsequent legitimate users receive the cached malicious redirect without any direct interaction with the attacker.
For detailed technical implementation, refer to the GitHub Security Advisory and the associated pull request.
Detection Methods for CVE-2026-33397
Indicators of Compromise
- Unusual Location header values containing /\ sequences followed by external domains
- HTTP responses with Location headers pointing to unexpected external URLs
- Log entries showing X-Forwarded-Prefix header values containing backslash characters
- Cache entries containing redirect responses to external domains
Detection Strategies
- Monitor web server and proxy access logs for requests containing backslash characters in the X-Forwarded-Prefix header
- Implement Web Application Firewall (WAF) rules to detect and block X-Forwarded-Prefix values containing backslash characters
- Review cached responses in intermediate proxies for unexpected redirect destinations
- Audit application dependencies to identify vulnerable versions of @angular/ssr
Monitoring Recommendations
- Configure alerting on HTTP responses with Location headers containing the /\ character sequence
- Monitor for user reports of unexpected redirects to external domains
- Implement cache inspection routines to detect poisoned cache entries
- Track outbound redirect destinations and alert on new or suspicious external domains
How to Mitigate CVE-2026-33397
Immediate Actions Required
- Update @angular/ssr to patched versions: 22.0.0-next.2, 21.2.3, or 20.3.21 depending on your branch
- Sanitize the X-Forwarded-Prefix header in your server.ts before the Angular engine processes the request
- Configure reverse proxies to strip or validate X-Forwarded-Prefix headers containing backslash characters
- Purge intermediate caches to remove any potentially poisoned redirect responses
Patch Information
The Angular team has released security patches addressing this vulnerability. Affected applications should upgrade to the following versions:
- For 22.x branch: Upgrade to 22.0.0-next.2 or later
- For 21.x branch: Upgrade to 21.2.3 or later
- For 20.x branch: Upgrade to 20.3.21 or later
The fix addresses the validation bypass by properly detecting and blocking single backslash characters in the X-Forwarded-Prefix header value. Additional details are available in the GitHub Pull Request #32771.
Workarounds
- Implement input sanitization in your server.ts to reject or sanitize X-Forwarded-Prefix values containing backslash characters before Angular SSR processes the request
- Configure your reverse proxy or load balancer to strip the X-Forwarded-Prefix header if not required by your application
- Add WAF rules to block requests with suspicious X-Forwarded-Prefix header values
- Add the Vary: X-Forwarded-Prefix header manually to prevent cache poisoning until the patch is applied
// Workaround: Sanitize X-Forwarded-Prefix in server.ts
// Add this middleware before Angular SSR engine initialization
app.use((req, res, next) => {
const forwardedPrefix = req.headers['x-forwarded-prefix'];
if (forwardedPrefix && typeof forwardedPrefix === 'string') {
// Block requests containing backslash in X-Forwarded-Prefix
if (forwardedPrefix.includes('\\')) {
req.headers['x-forwarded-prefix'] = '';
}
}
// Ensure proper Vary header to prevent cache poisoning
res.vary('X-Forwarded-Prefix');
next();
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
