Server-Side Request Forgery Vulnerability in Angular CLI Component
CVE-2025-62427

8.7HIGH

Key Information:

Vendor: Angular
Status: Angular-cli
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62427?

The Angular CLI is impacted by a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of the @angular/ssr package. This issue arises when incoming request paths formatted with double forward slashes (//) or backslashes () are processed, causing the URL constructor to treat them as schema-relative URLs. As a result, attackers can manipulate the URL resolution to point to their own external domains. This misconfiguration may allow unauthorized access to resources and result in the server communicating with potentially harmful external endpoints during the server-side rendering process. The flaw has been addressed in versions 19.2.18, 20.3.6, and 21.0.0-next.8.

Affected Version(s)

angular-cli >=19.0.0-next.0, < 19.2.18 < 19.0.0-next.0, 19.2.18

angular-cli >=20.0.0-next.0, < 20.3.6 < 20.0.0-next.0, 20.3.6

angular-cli >=21.0.0-next.0, < 21.0.0-next.8 < 21.0.0-next.0, 21.0.0-next.8

References

https://github.com/angular/angular-cli/security/advisorie...

x_refsource_CONFIRM

https://github.com/angular/angular-cli/commit/5271547c806...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 13, 2025

JSON