CVE-2025-62427 is a Server-Side Request Forgery (SSRF) vulnerability identified in Angular's Server-Side Rendering (SSR) package (@angular/ssr) prior to versions 19.2.18, 20.3.6, and 21.0.0-next.8. The vulnerability stems from the createRequestUrl function, which uses the native URL constructor to resolve URLs during SSR. When an incoming request path begins with double forward slashes (//) or backslashes (\\), the URL constructor interprets this as a schema-relative URL, overriding the intended base URL's hostname with an attacker-controlled hostname. This manipulation causes the SSR environment to set the page's virtual location to the attacker's domain. Consequently, any relative HTTP requests made during SSR, such as HttpClient.get('assets/data.json'), are resolved against the malicious domain, forcing the server to communicate with external endpoints controlled by the attacker. This can lead to unauthorized data exfiltration, internal network scanning, or other SSRF-related impacts. The vulnerability requires no authentication or user interaction and can be exploited remotely. It affects Angular CLI versions in the specified ranges and has a CVSS 4.0 score of 8.7, indicating high severity. The flaw has been addressed in the patched versions mentioned, but no known exploits are currently reported in the wild.

For European organizations, this SSRF vulnerability poses significant risks, particularly for those deploying Angular SSR in production environments. Exploitation can lead to unauthorized internal network access, data leakage, or interaction with internal services not intended to be exposed externally. This can compromise confidentiality and integrity of sensitive data and potentially disrupt availability if the attacker leverages the SSRF to perform denial-of-service attacks on internal resources. Organizations relying on Angular SSR for rendering dynamic content on their websites or applications may inadvertently expose backend services or cloud metadata endpoints. Given the widespread use of Angular in Europe’s web development ecosystem, especially in sectors like finance, government, and e-commerce, the impact could be substantial. Attackers could exploit this vulnerability to pivot into internal networks or exfiltrate sensitive information, increasing the risk of data breaches and regulatory non-compliance under GDPR.

The primary mitigation is to upgrade Angular SSR packages to versions 19.2.18, 20.3.6, 21.0.0-next.8, or later, where the vulnerability is fixed. Organizations should audit their Angular SSR implementations to ensure no untrusted input can influence URL paths starting with // or \\. Implement strict input validation and sanitization on incoming request URLs to prevent schema-relative URL injection. Additionally, configure network egress controls to restrict SSR server outbound HTTP requests to only trusted domains and internal services, limiting the impact of potential SSRF exploitation. Employ runtime monitoring and logging to detect unusual outbound requests originating from SSR processes. Consider using Web Application Firewalls (WAFs) with SSRF detection capabilities to block suspicious requests. Finally, conduct security testing focused on SSRF scenarios in Angular SSR environments to identify and remediate any residual risks.