Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1xNjNxLXBnbWYtbXhocs4ABNgF

High CVSS: 8.7 EPSS: 0.00068% (0.21046 Percentile) EPSS:
Permalink JSON

Angular SSR has a Server-Side Request Forgery (SSRF) flaw

Affected Packages Affected Versions Fixed Versions
npm:@angular/ssr
PURL: pkg:npm/%40angular%2Fssr
>= 21.0.0-next.0, < 21.0.0-next.8, >= 20.0.0-next.0, < 20.3.6, >= 19.0.0-next.0, < 19.2.18 21.0.0-next.8, 20.3.6, 19.2.18
51 Dependent packages
0 Dependent repositories
1,587,825 Downloads last month

Affected Version Ranges

All affected versions

19.0.0, 19.0.0-next.1, 19.0.0-next.2, 19.0.0-next.3, 19.0.0-next.4, 19.0.0-next.5, 19.0.0-next.6, 19.0.0-next.7, 19.0.0-next.8, 19.0.0-next.9, 19.0.0-next.10, 19.0.0-next.11, 19.0.0-next.12, 19.0.0-next.13, 19.0.0-rc.0, 19.0.0-rc.1, 19.0.0-rc.2, 19.0.0-rc.3, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 19.0.5, 19.0.6, 19.0.7, 19.1.0, 19.1.0-next.0, 19.1.0-next.1, 19.1.0-next.2, 19.1.0-rc.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.1.5, 19.1.6, 19.1.7, 19.1.8, 19.1.9, 19.2.0, 19.2.0-next.0, 19.2.0-next.1, 19.2.0-next.2, 19.2.0-rc.0, 19.2.1, 19.2.2, 19.2.3, 19.2.4, 19.2.5, 19.2.6, 19.2.7, 19.2.8, 19.2.9, 19.2.10, 19.2.11, 19.2.12, 19.2.13, 19.2.14, 19.2.15, 19.2.16, 19.2.17, 20.0.0, 20.0.0-next.1, 20.0.0-next.2, 20.0.0-next.3, 20.0.0-next.4, 20.0.0-next.5, 20.0.0-next.6, 20.0.0-next.7, 20.0.0-next.8, 20.0.0-next.9, 20.0.0-rc.0, 20.0.0-rc.1, 20.0.0-rc.2, 20.0.0-rc.3, 20.0.0-rc.4, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.1.0, 20.1.0-next.0, 20.1.0-next.1, 20.1.0-next.2, 20.1.0-next.3, 20.1.0-rc.0, 20.1.1, 20.1.2, 20.1.3, 20.1.4, 20.1.5, 20.1.6, 20.2.0, 20.2.0-next.0, 20.2.0-next.1, 20.2.0-next.2, 20.2.0-next.3, 20.2.0-rc.0, 20.2.0-rc.1, 20.2.1, 20.2.2, 20.3.0, 20.3.0-rc.0, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 20.3.5, 21.0.0-next.1, 21.0.0-next.2, 21.0.0-next.3, 21.0.0-next.4, 21.0.0-next.5, 21.0.0-next.6, 21.0.0-next.7

All unaffected versions

17.0.0, 17.0.1, 17.0.2, 17.0.3, 17.0.4, 17.0.5, 17.0.6, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.1.0, 17.1.1, 17.1.2, 17.1.3, 17.1.4, 17.2.0, 17.2.1, 17.2.2, 17.2.3, 17.3.0, 17.3.1, 17.3.2, 17.3.3, 17.3.4, 17.3.5, 17.3.6, 17.3.7, 17.3.8, 17.3.9, 17.3.10, 17.3.11, 17.3.12, 17.3.13, 17.3.14, 17.3.15, 17.3.16, 17.3.17, 18.0.0, 18.0.1, 18.0.2, 18.0.3, 18.0.4, 18.0.5, 18.0.6, 18.0.7, 18.1.0, 18.1.1, 18.1.2, 18.1.3, 18.1.4, 18.2.0, 18.2.1, 18.2.2, 18.2.3, 18.2.4, 18.2.5, 18.2.6, 18.2.7, 18.2.8, 18.2.9, 18.2.10, 18.2.11, 18.2.12, 18.2.13, 18.2.14, 18.2.15, 18.2.16, 18.2.17, 18.2.18, 18.2.19, 18.2.20, 18.2.21, 19.2.18, 19.2.19, 19.2.20, 19.2.21, 19.2.22, 20.3.6, 20.3.7, 20.3.8, 20.3.9, 20.3.10, 20.3.11, 20.3.12, 20.3.13, 20.3.14, 20.3.15, 20.3.16, 20.3.17, 20.3.18, 20.3.19, 20.3.20, 21.0.0, 21.0.1, 21.0.2, 21.0.3, 21.0.4, 21.0.5, 21.0.6, 21.1.0, 21.1.1, 21.1.2, 21.1.3, 21.1.4, 21.1.5, 21.2.0, 21.2.1, 21.2.2

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version
@schematics/update npm
angular-cli npm
@angular/cli npm
@angular-devkit/build-angular npm
@angular-devkit/architect npm
@angular-devkit/build-webpack npm
@angular-devkit/schematics-cli npm
@angular-devkit/architect-cli npm
@ngtools/json-schema npm
org.webjars.npm:angular-devkit__build-angular maven
org.webjars.npm:angular-cli maven
@angular-cli/base-href-webpack npm
org.webjars.npm:schematics__update maven
org.webjars.npm:ngtools__webpack maven
org.webjars.npm:ngtools__json-schema maven
org.webjars.npm:angular-devkit__architect maven
@angular-devkit/build-ng-packagr npm
@angular-devkit/build-optimizer npm
angular-cli bower
@ngtools/webpack npm
@schematics/package-update npm
@schematics/schematics npm
@angular/pwa npm
ng-metadata-cli npm
@angular.cn/cli npm
arnohovhannisyan-schematics npm
@rezonant/ngtools-webpack npm
sample-cli-cli npm
webdevkit-gug npm
hydra-webpack-plugin npm
@angular-devkit/core npm
@angular-devkit/schematics npm
github.com/angular/angular-cli go
@schematics/angular npm
nodePackages."@angular/cli" nixpkgs
nodePackages_latest."@angular/cli" nixpkgs
angular-devkit-web3 npm
angular-cli-pug npm
@letznav/ngtools-webpack npm
create-angular npm
@mcph/ngtools-webpack npm
angular-cli-with-use-yarn npm
angular-devkit_build-angular_v7-no-vuln npm
angularcli-patched-cryptiles npm
kamilkisiela-angular-cli npm
@angular-architects/build-angular npm
@crexi-dev/schematics npm
org.webjars.npm:angular-devkit__schematics maven
org.webjars.npm:angular-devkit__core maven
org.webjars.npm:schematics__angular maven
org.webjars.npm:angular-devkit__build-webpack maven
org.mvnpm.at.ngtools:webpack maven
org.mvnpm.at.angular-devkit:architect maven
org.mvnpm.at.angular-devkit:schematics maven
org.mvnpm.at.angular:cli maven
org.mvnpm.at.angular-devkit:core maven
org.mvnpm.at.schematics:angular maven
@danyjaen/webpack npm
@englishcentral/webpack npm
@jetlogs/webpack npm
@ngtools/logger npm
@nrwl/nx-fiendly-angular-cli npm
@rush/webpack npm
@sedpro/webpack-multiple-entries npm
@tarunc/ngtools npm
hydra-ngtools-webpack npm
nashtech-angular-cli npm
ng-cli-2 npm
ngapp-cli npm
ngtools-skip-remove-decorators npm
xiaoliang2233angularcli npm
@angular/create npm
@public-package/ng-packagr npm
angular-cli-patched npm
@crexi-dev/build-ng-packagr npm
angular-cli-europlan npm
@zoitravel/angular-cli npm
org.webjars.npm:angular__cli maven
org.webjars.npm:angular-devkit__build-optimizer maven
@angular/build npm
@angular-cli/ast-tools npm
@depup/angular__cli npm
@depup/angular-devkit__build-angular npm
@depup/angular-devkit__core npm
@depup/angular-devkit__schematics npm
@depup/angular-devkit__architect npm
@depup/angular-devkit__build-webpack npm
@depup/angular-devkit__schematics-cli npm
@depup/angular__build npm
@depup/ngtools__webpack npm
@depup/schematics__angular npm

Impact

The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr).

The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begins with a double forward slash (//) or backslash (\\), the URL constructor treats it as a schema-relative URL. This behavior overrides the security-intended base URL (protocol, host, and port) supplied as the second argument, instead resolving the URL against the scheme of the base URL but adopting the attacker-controlled hostname.

This allows an attacker to specify an external domain in the URL path, tricking the Angular SSR environment into setting the page's virtual location (accessible via DOCUMENT or PlatformLocation tokens) to this attacker-controlled domain. Any subsequent relative HTTP requests made during the SSR process (e.g., using HttpClient.get('assets/data.json')) will be incorrectly resolved against the attacker's domain, forcing the server to communicate with an arbitrary external endpoint.

Exploit Scenario

A request to http://localhost:4200//attacker-domain.com/some-page causes Angular to believe the host is attacker-domain.com. A relative request to api/data then becomes a server-side request to http://attacker-domain.com/api/data.

Patches

  • @angular/ssr 19.2.18
  • @angular/ssr 20.3.6
  • @angular/ssr 21.0.0-next.8

Mitigation

The application's internal location must be robustly determined from the incoming request. The fix requires sanitizing or validating the request path to prevent it from being interpreted as a schema-relative URL (i.e., ensuring it does not start with //).

Server-Side Middleware

If you can't upgrade to a patched version, implement a middleware on the Node.js/Express server that hosts the Angular SSR application to explicitly reject or sanitize requests where the path begins with a double slash (//).

Example (Express/Node.js):

// Place this middleware before the Angular SSR handler
app.use((req, res, next) => {
  if (req.originalUrl?.startsWith('//')) {
    // Sanitize by forcing a single slash
    req.originalUrl = req.originalUrl.replace(/^\/\/+/, '/');
    req.url = req.url.replace(/^\/\/+/, '/');
  }
  next();
});

References

References:

Identifiers

GHSA-q63q-pgmf-mxhr

CVE-2025-62427

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00068

EPSS Percentile: 0.21046

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/angular/angular-cli
View on Ecosyste.ms

Date and time

Published

8 months ago

Updated

19 days ago

API

JSON