CVE-2025-62427: Server-Side Request Forgery (SSRF) in Angular SSR

Published Oct 16, 2025
·
Updated

Impact The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

- @angular/ssr 19.2.18 - @angular/ssr 20.3.6 - @angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

ts // Place this middleware before the Angular SSR handler app.use((req, res, next) => { if (req.originalUrl?.startsWith('//')) { // Sanitize by forcing a single slash req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/'); req.url = req.url.replace(/^\/\/+/, '/'); } next(); });

References

- Report: https://github.com/angular/angular-cli/issues/31464 - Fix: https://github.com/angular/angular-cli/pull/31474

Other sources

The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8.

NVD

Affected Software

4 affected componentsFixes available
angular @angular/ssr<19.2.18, <20.3.6, <21.0.0-next.8
npm/@angular/ssr>=21.0.0-next.0<21.0.0-next.8
21.0.0-next.8
npm/@angular/ssr>=20.0.0-next.0<20.3.6
20.3.6
npm/@angular/ssr>=19.0.0-next.0<19.2.18
19.2.18

Event History

Oct 16, 2025
CVE Published
via MITRE·06:50 PM
Data Sourced
via MITRE·06:50 PM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·09:28 PM
Data Sourced
via GitHub·09:28 PM
DescriptionWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-62427?

CVE-2025-62427 has been classified with a high severity due to its potential to allow Server-Side Request Forgery attacks.

2

How do I fix CVE-2025-62427?

To fix CVE-2025-62427, upgrade to Angular's @angular/ssr version 19.2.18, 20.3.6, or 21.0.0-next.8 or later.

3

What specific versions of Angular are affected by CVE-2025-62427?

CVE-2025-62427 affects Angular @angular/ssr versions earlier than 19.2.18, 20.3.6, and 21.0.0-next.8.

4

What type of vulnerability is CVE-2025-62427?

CVE-2025-62427 is identified as a Server-Side Request Forgery (SSRF) vulnerability.

5

Is CVE-2025-62427 related to any specific Angular feature?

CVE-2025-62427 is related to the URL resolution mechanism within Angular's Server-Side Rendering package.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203