CVE-2025-66035

Nov. 26, 2025, 11:15 p.m.

7.7
High

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Product(s) Impacted

Vendor Product Versions
Angular
  • Angular
  • Angular Httpclient
  • *
  • <19.2.16-21.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-201
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a angular angular / / / / / / / /
a angular angular_httpclient <19.2.16-21.0.1 / / / / / / /

References

https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
https://github.com/angular/angular/releases/tag/19.2.16
https://github.com/angular/angular/releases/tag/20.3.14
https://github.com/angular/angular/releases/tag/21.0.1
https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37

Tags

security-advisories@github.com
CWE-201
2025-11-26
CVE-2025-66035

CVSS Score

7.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Nov. 26, 2025, 11:15 p.m.
Last Modified: Nov. 26, 2025, 11:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.