SSRF in Angular Angular-cli

CVE-2025-62427

The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 1…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (21.2th percentile) — read the EPSS interpretation.

Affected products

Angular Angular-cli — versions >=19.0.0-next.0, < 19.2.18, >=20.0.0-next.0, < 20.3.6, >=21.0.0-next.0, < 21.0.0-next.8

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/angular/angular-cli/security/advisories/GHSA-q63q-pgmf-mxhr (x_refsource_CONFIRM)
https://github.com/angular/angular-cli/commit/5271547c80662de10cb3bcb648779a83f6efedfb (x_refsource_MISC)