N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62427

GHSA ID

GHSA-q63q-pgmf-mxhr

EPSS Score

CWE

CWE-918

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62427

CVE-2025-62427: Angular SSR has a Server-Side Request Forgery (SSRF) flaw

Impact

The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario

A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

@angular/ssr 19.2.18
@angular/ssr 20.3.6
@angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware

If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
  if (req.originalUrl?.startsWith('//')) {
    // Sanitize by forcing a single slash
    req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
    req.url = req.url.replace(/^\/\/+/, '/');
  }
  next();
});

References

Report: https://github.com/angular/angular-cli/issues/31464
Fix: https://github.com/angular/angular-cli/pull/31474

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62427

GHSA ID

GHSA-q63q-pgmf-mxhr

EPSS Score

CWE

CWE-918

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@angular/ssr	npm	>= 19.0.0-next.0, < 19.2.18	19.2.18
@angular/ssr	npm	>= 20.0.0-next.0, < 20.3.6	20.3.6
@angular/ssr	npm	>= 21.0.0-next.0, < 21.0.0-next.8	21.0.0-next.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the @angular/ssr package and is a Server-Side Request Forgery (SSRF) flaw. The root cause is the improper handling of request URLs within the createRequestUrl function, located in packages/angular/ssr/node/src/request.ts. The analysis of the provided patch commit 5271547c80662de10cb3bcb648779a83f6efedfb confirms this. The vulnerable code used the URL constructor in a way that allowed an attacker to control the server's request destination. Specifically, the line return new URL(originalUrl ?? url, ${protocol}://${hostnameWithPort}); was the source of the issue. If an incoming request path started with //, the URL constructor would treat it as a protocol-relative URL, thus ignoring the intended host and using the one supplied by the attacker in the path. The patch corrects this by creating a single, absolute URL string before passing it to the URL constructor, ensuring the host cannot be overridden. Therefore, the createRequestUrl function is the precise location of the vulnerability.

Vulnerable functions

createRequestUrl

packages/angular/ssr/node/src/request.ts

The function `createRequestUrl` was vulnerable to Server-Side Request Forgery (SSRF). It used the `URL` constructor with a base URL, which is the second argument. When the input `originalUrl` or `url` started with a double forward slash (`//`), the `URL` constructor interpreted it as a schema-relative URL. This behavior caused the constructor to use the attacker-controlled hostname from the path, overriding the legitimate hostname provided in the base URL. As a result, any subsequent relative HTTP requests made during server-side rendering would be directed to the attacker's domain.

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility is * **S*rv*r-Si** R*qu*st *or**ry (SSR*)** *l*w wit*in t** URL r*solution m****nism o* *n*ul*r's S*rv*r-Si** R*n**rin* p**k*** (`@*n*ul*r/ssr`). T** *un*tion `*r**t*R*qu*stUrl` us*s t** n*tiv* `URL` *onstru*tor. W**n *n

Reasoning

T** vuln*r**ility *xists in t** `@*n*ul*r/ssr` p**k*** *n* is * S*rv*r-Si** R*qu*st *or**ry (SSR*) *l*w. T** root **us* is t** improp*r **n*lin* o* r*qu*st URLs wit*in t** `*r**t*R*qu*stUrl` *un*tion, lo**t** in `p**k***s/*n*ul*r/ssr/no**/sr*/r*qu*st

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62427: Angular SSR has a Server-Side Request Forgery (SSRF) flaw

Impact

Exploit Scenario

Patches

Mitigation

Server-Side Middleware

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI