Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-vfx2-hv2g-xj5f

MEDIUM

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

Also known asCVE-2026-33397
Published
Mar 19, 2026
Updated
May 6, 2026
Affected
3 pkgs
Patched
3 / 3
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.3%probability of exploitation in next 30 days
Lower Risk17th percentile+0.25%
0.00%0.25%0.50%0.76%0.1%0.0%0.0%0.3%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

3 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@angular/ssrnpm
629Kdownloads / week

Description

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., ///), the internal validation logic fails to account for a single backslash (\) bypass.

When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header:

  • An attacker provides a value starting with a single backslash (e.g., \evil.com).
  • The internal validation failed to flag the single backslash as invalid.
  • The application prepends a leading forward slash, resulting in a Location header containing /\evil.com.
  • Modern browsers interpret the /\ sequence as //, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain.

Furthermore, the response lacks the Vary: X-Forwarded-Prefix header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning).

Impact

This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:

  • Scale: A single request can poison a high-traffic route, impacting all users until the cache expires.
  • SEO Poisoning: Search engine crawlers may follow and index these malicious redirects, causing the legitimate site to be delisted or associated with malicious domains.
  • Trust: Because the initial URL belongs to the trusted domain, users and security tools are less likely to flag the redirect as malicious.

Patches

  • 22.0.0-next.2
  • 21.2.3
  • 20.3.21

Workarounds

Until the patch is applied, developers should sanitize the X-Forwarded-Prefix header in their server.ts before the Angular engine processes the request:

app.use((req, res, next) => {
  const prefix = req.headers['x-forwarded-prefix'];
  if (typeof prefix === 'string') {
    // Sanitize by removing all leading forward and backward slashes
    req.headers['x-forwarded-prefix'] = prefix.trim().replace(/^[/\\]+/, '/');
  }
  next();
});

References

Affected Packages

3 total 3 fixed
EcosystemPackageVulnerable rangeFix
📦npm@angular/ssr22.0.0-next.0&&< 22.0.0-next.222.0.0-next.2
📦npm@angular/ssr21.0.0-next.0&&< 21.2.321.2.3
📦npm@angular/ssr20.0.0-next.0&&< 20.3.2120.3.21

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @angular/ssr. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @angular/ssr to 22.0.0-next.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vfx2-hv2g-xj5f is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-vfx2-hv2g-xj5f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-vfx2-hv2g-xj5f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header: - An attacker provides a value starting with a single backslash (e.g., `\evil.com`). - The internal validation failed to flag the single backslash as invalid. - The application prepends a leading forward slash, resulting in a
O3 Security · Impact-Aware SCA

Is GHSA-vfx2-hv2g-xj5f in your dependencies?

O3 detects GHSA-vfx2-hv2g-xj5f across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works