Vulnerable Library - ssr-21.2.1.tgz
Angular server side rendering utilities
Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (ssr version) |
Remediation Possible** |
| CVE-2026-33397 |
High |
7.2 |
ssr-21.2.1.tgz |
Direct |
@angular/ssr - 21.2.3,@angular/ssr - 20.3.21,@angular/ssr - 22.0.0-next.2 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33397
Vulnerable Library - ssr-21.2.1.tgz
Angular server side rendering utilities
Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ ssr-21.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd
Found in base branch: main
Vulnerability Details
An Open Redirect vulnerability exists in "@angular/ssr" due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., "///"), the internal validation logic fails to account for a single backslash ("") bypass. When an Angular SSR application is deployed behind a proxy that passes the "X-Forwarded-Prefix" header: - An attacker provides a value starting with a single backslash (e.g., "\evil.com"). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a "Location" header containing "/\evil.com". - Modern browsers interpret the "/" sequence as "//", treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the "Vary: X-Forwarded-Prefix" header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking: - Scale: A single request can poison a high-traffic route, impacting all users until the cache expires. - SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious. Patches - 22.0.0-next.2 - 21.2.3 - 20.3.21 Workarounds Until the patch is applied, developers should sanitize the "X-Forwarded-Prefix" header in their "server.ts" before the Angular engine processes the request: app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/]+/, '/'); } next(); }); References - Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738
Publish Date: 2026-03-20
URL: CVE-2026-33397
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vfx2-hv2g-xj5f
Release Date: 2026-03-19
Fix Resolution: @angular/ssr - 21.2.3,@angular/ssr - 20.3.21,@angular/ssr - 22.0.0-next.2
Step up your Open Source Security Game with Mend here
Angular server side rendering utilities
Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - ssr-21.2.1.tgz
Angular server side rendering utilities
Library home page: https://registry.npmjs.org/@angular/ssr/-/ssr-21.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0c069749aca3c095a9aa6c3357e76dd1ff976bcd
Found in base branch: main
Vulnerability Details
An Open Redirect vulnerability exists in "@angular/ssr" due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., "///"), the internal validation logic fails to account for a single backslash ("") bypass. When an Angular SSR application is deployed behind a proxy that passes the "X-Forwarded-Prefix" header: - An attacker provides a value starting with a single backslash (e.g., "\evil.com"). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a "Location" header containing "/\evil.com". - Modern browsers interpret the "/" sequence as "//", treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the "Vary: X-Forwarded-Prefix" header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Impact This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking: - Scale: A single request can poison a high-traffic route, impacting all users until the cache expires. - SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains. - Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious. Patches - 22.0.0-next.2 - 21.2.3 - 20.3.21 Workarounds Until the patch is applied, developers should sanitize the "X-Forwarded-Prefix" header in their "server.ts" before the Angular engine processes the request: app.use((req, res, next) => { const prefix = req.headers['x-forwarded-prefix']; if (typeof prefix === 'string') { // Sanitize by removing all leading forward and backward slashes req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/]+/, '/'); } next(); }); References - Fix: https://github.com/angular/angular-cli/pull/32771 - Original CVE: CVE-2026-27738
Publish Date: 2026-03-20
URL: CVE-2026-33397
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vfx2-hv2g-xj5f
Release Date: 2026-03-19
Fix Resolution: @angular/ssr - 21.2.3,@angular/ssr - 20.3.21,@angular/ssr - 22.0.0-next.2
Step up your Open Source Security Game with Mend here