CVE-2025-62427 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Angular CLI's Server-Side Rendering (SSR) package (@angular/ssr) prior to versions 19.2.18, 20.3.6, and 21.0.0-next.8. The vulnerability stems from the way the createRequestUrl function utilizes the native URL constructor to resolve incoming request paths. When a request path begins with double forward slashes (//) or backslashes (\\), the URL constructor interprets it as a schema-relative URL, which overrides the intended base URL's host and port, adopting the attacker-controlled hostname instead. This manipulation allows an attacker to set the virtual page location within the SSR environment to an arbitrary external domain. Consequently, any relative HTTP requests made during SSR, such as HttpClient.get('assets/data.json'), are resolved against the attacker-controlled domain rather than the legitimate server domain. This can force the server to communicate with malicious external endpoints, potentially leaking sensitive internal data or enabling further attacks like data exfiltration or SSRF pivoting. The vulnerability requires no authentication or user interaction and can be exploited remotely. It affects Angular CLI versions from 19.0.0-next.0 up to but not including 19.2.18, 20.0.0-next.0 up to but not including 20.3.6, and 21.0.0-next.0 up to but not including 21.0.0-next.8. The issue has been addressed in the specified patched versions. Although no known exploits are currently reported in the wild, the high CVSS 4.0 score of 8.7 reflects the significant risk posed by this SSRF flaw.

For European organizations, this SSRF vulnerability in Angular CLI's SSR package can have serious security implications. Organizations using Angular SSR for server-side rendering of web applications may inadvertently allow attackers to redirect internal HTTP requests to malicious external servers. This can lead to unauthorized data disclosure, including sensitive configuration or internal API data, and may facilitate further attacks such as internal network reconnaissance or exploitation of trust relationships. The vulnerability's remote exploitability without authentication increases the risk of automated attacks and widespread exploitation. Given Angular's popularity in Europe for enterprise and public sector web applications, the impact could affect a broad range of industries, including finance, healthcare, and government services. Additionally, compromised SSR processes could undermine application integrity and availability, damaging organizational reputation and compliance posture under regulations like GDPR. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before active exploitation occurs.

European organizations should immediately upgrade Angular CLI and the @angular/ssr package to versions 19.2.18, 20.3.6, 21.0.0-next.8, or later to apply the official fix. Beyond patching, developers should audit SSR implementations to ensure that URL resolution does not rely solely on native URL constructors without proper validation of input paths. Implement strict input validation and sanitization for incoming request URLs, specifically rejecting or normalizing paths starting with double slashes or backslashes that could be interpreted as schema-relative URLs. Employ network-level controls such as egress filtering to restrict SSR server outbound HTTP requests to only trusted domains and internal resources, preventing SSRF exploitation from reaching arbitrary external endpoints. Monitor SSR logs for unusual outbound requests or anomalies in URL resolution. Incorporate security testing in CI/CD pipelines to detect SSRF patterns and validate SSR behavior under malicious input scenarios. Finally, raise developer awareness about SSRF risks in SSR contexts and encourage secure coding practices around URL handling.