CVE-2025-62427: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Angular's Server-Side Rendering package (@angular/ssr) affecting versions before 19.2.18, 20.3.6, and 21.0.0-next.8. The vulnerability was disclosed on October 16, 2025, and assigned identifier CVE-2025-62427. The flaw exists within the URL resolution mechanism of the package, specifically in the createRequestUrl function (GitHub Advisory).

The vulnerability stems from the improper handling of URL construction in the createRequestUrl function. When an incoming request path begins with a double forward slash (//) or backslash (), the native URL constructor treats it as a schema-relative URL. This behavior bypasses the security-intended base URL (protocol, host, and port), allowing the URL to resolve against the scheme of the base URL while adopting an attacker-controlled hostname. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability allows an attacker to specify an external domain in the URL path, which tricks the Angular SSR environment into setting the page's virtual location to an attacker-controlled domain. As a result, any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with arbitrary external endpoints (GitHub Advisory).

The vulnerability has been fixed in versions 19.2.18, 20.3.6, and 21.0.0-next.8. For users unable to upgrade immediately, a server-side middleware solution can be implemented to explicitly reject or sanitize requests where the path begins with a double slash. This can be done by implementing a middleware that replaces multiple leading slashes with a single slash before processing the request (GitHub Advisory).