CVE-2025-62427 Overview
CVE-2025-62427 is a Server-Side Request Forgery (SSRF) vulnerability in Angular's Server-Side Rendering package (@angular/ssr). The flaw resides in the createRequestUrl function, which uses the native URL constructor without validating incoming request paths. When a request path begins with // or \\, the constructor interprets it as a schema-relative URL and adopts an attacker-controlled hostname. This overrides the intended base URL and redirects subsequent relative HTTP requests made during SSR to an external endpoint controlled by the attacker. The vulnerability is fixed in versions 19.2.18, 20.3.6, and 21.0.0-next.8.
Critical Impact
Attackers can coerce the SSR server into issuing relative HTTP requests against an arbitrary external domain, leading to confidentiality loss and potential pivoting into internal services.
Affected Products
- @angular/ssr versions prior to 19.2.18
- @angular/ssr versions prior to 20.3.6
- @angular/ssr versions prior to 21.0.0-next.8
Discovery Timeline
- 2025-10-16 - CVE-2025-62427 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-62427
Vulnerability Analysis
The vulnerability is classified under [CWE-918] Server-Side Request Forgery. Angular SSR pre-renders pages on the Node.js server, where the createRequestUrl function constructs a URL object from the incoming IncomingMessage or Http2ServerRequest. The function passes the raw request path as the first argument to the URL constructor and the server's base URL as the second argument. This pattern is normally safe, but the native URL constructor applies special handling when the path begins with // or \\.
In that case, the constructor treats the path as a protocol-relative reference. It preserves the scheme from the base URL but adopts the hostname from the request path. The resulting URL object reflects an attacker-controlled host instead of the server's own host.
Root Cause
The root cause is missing validation of the request path before delegating to the URL constructor. The SSR runtime exposes the resulting URL through the DOCUMENT and PlatformLocation tokens. Any code that issues relative HTTP requests during rendering, such as HttpClient.get('assets/data.json'), resolves those requests against the poisoned base. The server then transmits requests to the attacker's domain.
Attack Vector
An unauthenticated remote attacker sends an HTTP request with a crafted path such as //attacker.example.com/path. The SSR pipeline parses this as a protocol-relative URL and rebases all relative fetches during rendering against attacker.example.com. This can be used to exfiltrate session-bound data, probe internal network services through the SSR host, or substitute attacker-supplied responses for assets consumed during rendering.
// Security patch in packages/angular/ssr/node/src/request.ts
// fix(@angular/ssr): prevent malicious URL from overriding host
* @param nodeRequest - The Node.js `IncomingMessage` or `Http2ServerRequest` object to extract URL information from.
* @returns A `URL` object representing the request URL.
*/
-function createRequestUrl(nodeRequest: IncomingMessage | Http2ServerRequest): URL {
+export function createRequestUrl(nodeRequest: IncomingMessage | Http2ServerRequest): URL {
const {
headers,
socket,
Source: Angular CLI Commit 5271547
Detection Methods for CVE-2025-62427
Indicators of Compromise
- Inbound HTTP requests where originalUrl or url begins with // or \\ followed by an external hostname.
- Outbound connections from the SSR Node.js process to domains that do not match the application's expected asset or API hosts.
- Application logs showing relative asset fetches resolving against unexpected hostnames in DOCUMENT.location or PlatformLocation.
Detection Strategies
- Inspect reverse proxy and access logs for request paths matching the regex ^(\/\/|\\\\)[^\/]+ and correlate with the SSR process identifier.
- Instrument HttpClient interceptors during SSR to log the fully resolved request URL and alert on hosts outside an allowlist.
- Audit installed @angular/ssr versions across build pipelines and production hosts using npm ls @angular/ssr.
Monitoring Recommendations
- Monitor egress traffic from SSR workloads and flag connections to domains not present in the application's allowlist.
- Alert on anomalous DNS resolutions originating from Node.js SSR containers.
- Track exceptions and timeouts emitted by HttpClient during render, which can indicate failed SSRF attempts against unreachable hosts.
How to Mitigate CVE-2025-62427
Immediate Actions Required
- Upgrade @angular/ssr to 19.2.18, 20.3.6, or 21.0.0-next.8 depending on the active major version.
- Rebuild and redeploy SSR-enabled Angular applications and invalidate cached server bundles.
- Review SSR egress logs since the package was deployed for evidence of requests to unexpected hosts.
Patch Information
The Angular team published the fix in commit 5271547c80662de10cb3bcb648779a83f6efedfb and tracked the issue under advisory GHSA-q63q-pgmf-mxhr. The patch hardens createRequestUrl so that paths beginning with // or \\ no longer override the configured base host. Refer to the Angular Security Advisory GHSA-q63q-pgmf-mxhr for full vendor guidance.
Workarounds
- Add a reverse proxy rule that rejects or normalizes request paths starting with // or \\ before traffic reaches the Node.js SSR process.
- Restrict outbound network access from the SSR runtime to an explicit allowlist of asset and API domains.
- Implement an HttpClient interceptor that validates the resolved URL against trusted hosts before issuing the request.
# Upgrade @angular/ssr to a patched version
npm install @angular/ssr@^20.3.6
# Verify the installed version
npm ls @angular/ssr
# Example nginx rule to reject schema-relative paths
# location ~ "^/{2,}|^\\\\" { return 400; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
