CVE-2025-66035 - Vulnerability Details

Vendors	Products
Angular	Angular

Link	Providers
https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
https://github.com/angular/angular/releases/tag/19.2.16
https://github.com/angular/angular/releases/tag/20.3.14
https://github.com/angular/angular/releases/tag/21.0.1
https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37

Type	Values Removed	Values Added
First Time appeared		Angular Angular angular
Vendors & Products		Angular Angular angular

Type	Values Removed	Values Added
Description		Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Title		Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs
Weaknesses		CWE-201 CWE-359
References		https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e https://github.com/angular/angular/releases/tag/19.2.16 https://github.com/angular/angular/releases/tag/20.3.14 https://github.com/angular/angular/releases/tag/21.0.1 https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Metrics		cvssV4_0 `{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66035", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-21T01:08:02.615Z", "datePublished": "2025-11-26T22:18:35.692Z", "dateUpdated": "2025-11-26T22:18:35.692Z"}, "containers": {"cna": {"title": "Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-359", "lang": "en", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37"}, {"name": "https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f"}, {"name": "https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc"}, {"name": "https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e"}, {"name": "https://github.com/angular/angular/releases/tag/19.2.16", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/releases/tag/19.2.16"}, {"name": "https://github.com/angular/angular/releases/tag/20.3.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/releases/tag/20.3.14"}, {"name": "https://github.com/angular/angular/releases/tag/21.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/releases/tag/21.0.1"}], "affected": [{"vendor": "angular", "product": "angular", "versions": [{"version": ">= 21.0.0-next.0, < 21.0.1", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.14", "status": "affected"}, {"version": "< 19.2.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-26T22:18:35.692Z"}, "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs."}], "source": {"advisory": "GHSA-58c5-g7wp-6w37", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs."}], "id": "CVE-2025-66035", "lastModified": "2025-11-26T23:15:49.550", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-11-26T23:15:49.550", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/releases/tag/19.2.16"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/releases/tag/20.3.14"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/releases/tag/21.0.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-359"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object