Open Redirect Affecting @angular/ssr package, versions >=20.0.0-next.0 <20.3.21>=21.0.0-next.0 <21.2.3>=22.0.0-next.0 <22.0.0-next.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ANGULARSSR-15701178
- published20 Mar 2026
- disclosed19 Mar 2026
- creditVenkatKwest
Introduced: 19 Mar 2026
NewCVE-2026-33397 (opens in a new tab)How to fix?
Upgrade @angular/ssr to version 20.3.21, 21.2.3, 22.0.0-next.2 or higher.
Overview
@angular/ssr is a the Angular server side rendering utilities.
Affected versions of this package are vulnerable to Open Redirect via the internal URL processing logic when handling the X-Forwarded-Prefix header. An attacker can cause users to be redirected to arbitrary external domains by supplying a specially crafted header value containing a single backslash \, which is insufficiently sanitized before being used in the Location header. This can facilitate large-scale phishing and SEO hijacking attacks.
Notes:
This is caused by an incomplete fix for CVE-2026-27738
This is only exploitable if the application uses Angular SSR, has routes that perform internal redirects, the infrastructure passes the
X-Forwarded-Prefixheader to the SSR process without sanitization, and the cache does not vary on theX-Forwarded-Prefixheader.
Workaround
This vulnerability can be mitigated by sanitizing the X-Forwarded-Prefix header in the server middleware to remove all leading slashes before the Angular engine processes the request.