Skip to content

ssr-21.2.1.tgz: 1 vulnerabilities (highest severity is: 7.2) - autoclosed #1084

Description

@mend-bolt-for-github
Vulnerable Library - ssr-21.2.1.tgz

Angular server side rendering utilities

Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (ssr version) Remediation Possible**
CVE-2026-33397 High 7.2 ssr-21.2.1.tgz Direct @angular/ssr - 21.2.3,@angular/ssr - 20.3.21,@angular/ssr - 22.0.0-next.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-33397

Vulnerable Library - ssr-21.2.1.tgz

Angular server side rendering utilities

Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • ssr-21.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd

Found in base branch: main

Vulnerability Details

An Open Redirect vulnerability exists in "@angular/ssr" due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., "///"), the internal validation logic fails to account for a single backslash ("") bypass. When an Angular SSR application is deployed behind a proxy that passes the "X-Forwarded-Prefix" header: - An attacker provides a value starting with a single backslash (e.g., "\evil.com"). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a "Location" header containing "/\evil.com". - Modern browsers interpret the "/" sequence as "//", treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the "Vary: X-Forwarded-Prefix" header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking: - Scale: A single request can poison a high-traffic route, impacting all users until the cache expires. - SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious. Patches - 22.0.0-next.2 - 21.2.3 - 20.3.21 Workarounds Until the patch is applied, developers should sanitize the "X-Forwarded-Prefix" header in their "server.ts" before the Angular engine processes the request: app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/]+/, '/'); } next(); }); References - Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738

Publish Date: 2026-03-20

URL: CVE-2026-33397

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vfx2-hv2g-xj5f

Release Date: 2026-03-19

Fix Resolution: @angular/ssr - 21.2.3,@angular/ssr - 20.3.21,@angular/ssr - 22.0.0-next.2

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions