CVE-2025-62427

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.18 Angular versions prior to 20.3.6 Angular versions prior to 21.0.0-next.8

Description The issue is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr). The createRequestUrl function uses the native URL constructor. When an incoming request path, such as originalUrl or url, begins with a double forward slash (//) or backslash (``), the URL constructor treats it as a schema-relative URL. This overrides the intended base URL, allowing an attacker to specify an external domain in the URL path. Subsequent relative HTTP requests, like HttpClient.get('assets/data.json'), are then incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Recommendations Update to Angular version 19.2.18 or later. Update to Angular version 20.3.6 or later. Update to Angular version 21.0.0-next.8 or later. If updating is not immediately possible, implement middleware on the Node.js/Express server hosting the Angular SSR application to reject or sanitize requests where the path begins with a double slash (//).