{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33397", "tracking": { "current_release_date": "2026-03-30T15:39:54.324957Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33397", "initial_release_date": "2026-03-21T01:08:16.810886Z", "revision_history": [ { "date": "2026-03-21T01:08:16.810886Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-21T01:08:22.304159Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-26T14:38:51.582313Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (3).| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T14:38:54.226384Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T15:35:52.718123Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T15:35:57.227778Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-27T20:57:11.754436Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-28T07:58:18.629062Z", "number": "8", "summary": "References created (1)." }, { "date": "2026-03-30T15:39:51.856995Z", "number": "9", "summary": "Unknown change." } ], "status": "interim", "version": "9" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=20.0.0-next.0|<20.3.21", "product": { "name": "vers:unknown/>=20.0.0-next.0|<20.3.21", "product_id": "CSAFPID-5918011" } }, { "category": "product_version_range", "name": "vers:unknown/>=21.0.0-next.0|<21.2.3", "product": { "name": "vers:unknown/>=21.0.0-next.0|<21.2.3", "product_id": "CSAFPID-5918010" } }, { "category": "product_version_range", "name": "vers:unknown/>=22.0.0-next.0|<22.0.0-next.2", "product": { "name": "vers:unknown/>=22.0.0-next.0|<22.0.0-next.2", "product_id": "CSAFPID-5918009" } } ], "category": "product_name", "name": "angular-cli" } ], "category": "vendor", "name": "angular" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33397", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site ('Open Redirect')" }, "notes": [ { "category": "description", "text": "An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass.\n\nWhen an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header:\n\n- An attacker provides a value starting with a single backslash (e.g., `\\evil.com`).\n- The internal validation failed to flag the single backslash as invalid.\n- The application prepends a leading forward slash, resulting in a `Location` header containing `/\\evil.com`.\n- Modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.\n\nFurthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).\n\n### Impact\nThis vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:\n\n- **Scale**: A single request can poison a high-traffic route, impacting all users until the cache expires.\n- **SEO Poisoning**: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.\n- **Trust**: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.\n\n### Patches\n\n- 22.0.0-next.2\n- 21.2.3\n- 20.3.21\n\n### Workarounds\nUntil the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request:\n\n```ts\napp.use((req, res, next) => {\n const prefix = req.headers['x-forwarded-prefix'];\n if (typeof prefix === 'string') {\n // Sanitize by removing all leading forward and backward slashes\n req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\\\]+/, '/');\n }\n next();\n});\n```\n\n\n### References\n\n- Fix: https://github.com/angular/angular-cli/pull/32771\n- Original CVE: CVE-2026-27738", "title": "github - https://api.github.com/advisories/GHSA-vfx2-hv2g-xj5f" }, { "category": "description", "text": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33397.json" }, { "category": "description", "text": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33397" }, { "category": "other", "text": "0.00039", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "6.9", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "There is cwe data available from source Nvd, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5918009", "CSAFPID-5918010", "CSAFPID-5918011" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-vfx2-hv2g-xj5f" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33397.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33397" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/angular/angular-cli/security/advisories/GHSA-vfx2-hv2g-xj5f" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/angular/angular-cli/pull/32771" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/advisories/GHSA-xh43-g2fq-wjrj" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-vfx2-hv2g-xj5f" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33397" } ], "title": "CVE-2026-33397" } ] }