Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-66035

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
Back to all
CVE

CVE-2025-66035

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

  1. The victim's Angular application must have XSRF protection enabled.  
  2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL  (e.g., //attacker.com) that they control.

Patches

  • 19.2.16
  • 20.3.14
  • 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37, https://nvd.nist.gov/vuln/detail/CVE-2025-66035, https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f, https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc, https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e, https://github.com/angular/angular, https://github.com/angular/angular/releases/tag/19.2.16, https://github.com/angular/angular/releases/tag/20.3.14, https://github.com/angular/angular/releases/tag/21.0.1

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00072%
EPSS Percentile
0.22372%
Introduced Version
21.0.0-next.0,21.0.0-next.6,20.0.5,20.0.0-next.5,19.2.5,20.0.0-next.0,19.0.0-next.2,16.0.0-next.5,15.0.0-next.6,13.0.0-next.10,8.0.0-beta.8,6.0.0-rc.0,5.0.0-rc.0,5.0.0-beta.6,4.3.0
Fix Available
21.0.1,20.3.14,19.2.16

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading