CVE-2025-66035
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2025-11-26

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2025-11-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angular angular *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (XSRF) token leakage in Angular's HttpClient when using protocol-relative URLs (URLs starting with //). Angular's HttpClient incorrectly treats these URLs as same-origin requests and automatically adds the XSRF token to the request header. This leads to unauthorized disclosure of the XSRF token to attacker-controlled domains. The issue has been fixed in Angular versions 19.2.16, 20.3.14, and 21.0.1. A workaround is to avoid using protocol-relative URLs and instead use relative paths or fully qualified, trusted absolute URLs.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of the XSRF token, which is intended to protect against Cross-Site Request Forgery attacks. If an attacker obtains this token, they could potentially perform unauthorized actions on behalf of a user by bypassing the XSRF protection, leading to compromised user accounts or unauthorized operations within the affected web application.

Mitigation Strategies

To mitigate this vulnerability, avoid using protocol-relative URLs (URLs starting with //) in Angular HttpClient requests. Instead, use hardcoded relative paths starting with a single / or fully qualified, trusted absolute URLs. Additionally, upgrade Angular to versions 19.2.16, 20.3.14, or 21.0.1 or later where the issue is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart