Summary
Exploit Scenario
A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.
Mitigation
The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).
Server-Side Middleware
If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).
Example (Express/Node.js):
// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
if (req.originalUrl?.startsWith('//')) {
// Sanitize by forcing a single slash
req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
req.url = req.url.replace(/^\/\/+/, '/');
}
next();
});
References
Impact
The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).
The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.
This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
@angular/ssr19.2.18@angular/ssr20.3.6@angular/ssr21.0.0-next.8
Frequently Asked Questions
- What is CVE-2025-62427? CVE-2025-62427 is a high-severity server-side request forgery (SSRF) vulnerability in @angular/ssr (npm), affecting versions >= 19.0.0-next.0, < 19.2.18. It is fixed in 19.2.18, 20.3.6, 21.0.0-next.8. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- Which versions of @angular/ssr are affected by CVE-2025-62427? @angular/ssr (npm) versions >= 19.0.0-next.0, < 19.2.18 is affected.
- Is there a fix for CVE-2025-62427? Yes. CVE-2025-62427 is fixed in 19.2.18, 20.3.6, 21.0.0-next.8. Upgrade to this version or later.
- Is CVE-2025-62427 exploitable, and should I be worried? Whether CVE-2025-62427 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-62427 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-62427?
- Upgrade
@angular/ssrto 19.2.18 or later - Upgrade
@angular/ssrto 20.3.6 or later - Upgrade
@angular/ssrto 21.0.0-next.8 or later
- Upgrade