Overview
CVE-2025-66035 is a security vulnerability affecting Angular applications. This vulnerability involves the leakage of Cross-Site Request Forgery (XSRF) tokens through the use of protocol-relative URLs (those starting with //) within Angular’s HTTP client. An attacker could potentially exploit this leakage to gain unauthorized access or perform actions on behalf of legitimate users.
Technical Details
Angular’s HttpClient includes a built-in XSRF protection mechanism. This mechanism checks if a request URL starts with a protocol (http:// or https://) to determine if it is a cross-origin request. If the URL is considered same-origin, the XSRF token is automatically added to the X-XSRF-TOKEN header.
The vulnerability arises because protocol-relative URLs (e.g., //example.com/api/data) are incorrectly treated as same-origin requests by Angular’s XSRF protection. This leads to the XSRF token being attached to the request even when it’s being sent to a different, potentially attacker-controlled, domain. This unintended behavior allows an attacker to intercept the token and use it to craft malicious requests.
CVSS Analysis
Currently, a CVSS score has not been assigned to CVE-2025-66035. However, given the potential for credential leakage, its severity is considered to be at least Medium, possibly High, depending on the sensitivity of the data protected by the XSRF token and the ease of exploitation.
Possible Impact
The successful exploitation of CVE-2025-66035 can lead to several adverse consequences:
- Credential Leakage: The XSRF token is exposed to an attacker-controlled domain.
- Account Takeover: If the XSRF token is used to protect sensitive user actions, an attacker can potentially perform those actions on behalf of the user.
- Data Manipulation: An attacker could modify data associated with the affected user.
- Unauthorized Access: The attacker could gain access to resources or functionalities that are normally restricted.
Mitigation and Patch Steps
The vulnerability has been addressed in the following Angular versions:
- Angular version 19.2.16
- Angular version 20.3.14
- Angular version 21.0.1
To mitigate this vulnerability, it is strongly recommended to upgrade your Angular application to one of the patched versions listed above.
Workaround: As a temporary workaround, avoid using protocol-relative URLs in Angular’s HttpClient requests. Ensure that all backend communication URLs are either:
- Hardcoded as relative paths (starting with a single
/, e.g.,/api/data). - Fully qualified, trusted absolute URLs (e.g.,
https://yourdomain.com/api/data).
References
- GitHub Commit (19.2.x): 0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- GitHub Commit (20.3.x): 05fe6686a97fa0bcd3cf157805b3612033f975bc
- GitHub Commit (21.0.x): 3240d856d942727372a705252f7c8c115394a41e
- Angular Release 19.2.16: 19.2.16
- Angular Release 20.3.14: 20.3.14
- Angular Release 21.0.1: 21.0.1
- Angular Security Advisory: GHSA-58c5-g7wp-6w37
