Angular CLI 22.0.0 Next0 for Node.js
Approved changes feed: RSS · Atom
cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:*
part: a version: 22.0.0 update: next0
| Vendor | Angular (d8cfb05c-218e-5baa-85be-4cd660bbc13e) |
|---|---|
| Product | Angular Cli (8d0182e8-4fa5-5e50-ba87-f19d0a596824) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/angular/angular-cli |
purl2cpe | 2026-06-01 10:15:51.352161 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-33397 |
vulnerable | 2026-06-08 07:59:09.863252 |
Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
Published: 2026-03-26T13:46:16.145Z
Updated: 2026-03-30T14:56:05.822Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.