CVE-2025-62427
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname. This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint. This vulnerability is fixed in 19.2.18, 20.3.6, and 21.0.0-next.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-10-21
Generated
2026-05-07
AI Q&A
2025-10-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62427
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angular ssr *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Server-Side Request Forgery (SSRF) flaw in Angular CLI's Server-Side Rendering package (@angular/ssr) before versions 19.2.18, 20.3.6, and 21.0.0-next.8. It occurs because the URL resolution mechanism incorrectly handles incoming request paths that start with double forward slashes (//) or backslashes (\\). The native URL constructor treats such paths as schema-relative URLs, overriding the intended base URL and allowing an attacker to specify an external domain. This tricks the Angular SSR environment into setting the page's virtual location to the attacker's domain, causing any subsequent relative HTTP requests during SSR to be resolved against the attacker's domain, potentially forcing the server to communicate with arbitrary external endpoints.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to manipulate the server-side rendering process to make the server send HTTP requests to arbitrary external domains controlled by the attacker. This can lead to unauthorized data exposure, server-side request manipulation, or interaction with malicious endpoints, potentially compromising server integrity, confidentiality, or availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Angular SSR package (@angular/ssr) to version 19.2.18, 20.3.6, or 21.0.0-next.8 or later, where the issue is fixed. Avoid processing URLs that begin with double forward slashes (//) or backslashes (\) in your server-side rendering logic until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart