CVE-2025-66035 in Angular
Summary
by MITRE • 11/27/2025
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/02/2025
The vulnerability identified as CVE-2025-66035 represents a critical credential leakage issue within the Angular framework's HTTP client implementation. This flaw specifically affects versions prior to 19.2.16, 20.3.14, and 21.0.1, where the Cross-Site Request Forgery protection mechanism fails to properly validate protocol-relative URLs. The technical root cause lies in how Angular's HttpClient evaluates request origins when determining whether to include XSRF tokens in outgoing requests. When a URL begins with a protocol-relative prefix (//), the framework incorrectly classifies it as same-origin, bypassing the security checks that should prevent token leakage to external domains. This misclassification creates a scenario where sensitive XSRF tokens are automatically included in headers sent to attacker-controlled domains, fundamentally undermining the security model designed to protect against cross-site request forgery attacks. The vulnerability aligns with CWE-200 (Information Exposure) and represents a credential leak by application logic that directly compromises the integrity of the security mechanism.
The operational impact of this vulnerability extends beyond simple information disclosure to create a substantial attack surface for malicious actors. When protocol-relative URLs are used in HttpClient requests, the automatic inclusion of XSRF tokens in the X-XSRF-TOKEN header creates a pathway for attackers to harvest these tokens from legitimate applications. This token leakage enables attackers to perform authenticated actions on behalf of users, effectively bypassing the core protection mechanism that XSRF tokens are designed to prevent. The flaw particularly affects applications that rely on dynamic URL construction or third-party integration patterns where protocol-relative URLs might be inadvertently introduced. Attackers can leverage this vulnerability through techniques such as DNS rebinding, malicious domain takeover, or by hosting malicious content on domains that are trusted by the application's security policies. From an ATT&CK perspective, this vulnerability maps to T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers can craft malicious requests that exploit the flawed URL validation logic to extract sensitive authentication tokens.
The mitigation strategy for CVE-2025-66035 requires immediate attention from development teams and system administrators. The primary recommended fix involves upgrading to patched versions 19.2.16, 20.3.14, or 21.0.1 where the protocol-relative URL handling has been corrected to properly distinguish between same-origin and cross-origin requests. Organizations should implement comprehensive code reviews to identify all instances where HttpClient is used with protocol-relative URLs, as these patterns must be eliminated from application code. The workaround suggested by the Angular team emphasizes the importance of using hardcoded relative paths (starting with a single /) or fully qualified absolute URLs that include explicit protocols. This approach ensures that the framework's origin detection logic functions correctly and prevents the unintended leakage of XSRF tokens. Security teams should also consider implementing network-level monitoring to detect unusual patterns in X-XSRF-TOKEN header usage, as this can serve as an indicator of potential exploitation attempts. Additionally, developers should establish coding standards that prohibit the use of protocol-relative URLs in HTTP client requests, particularly in applications that handle sensitive operations or user authentication flows. The vulnerability demonstrates the critical importance of proper URL validation and origin checking in modern web applications, where seemingly minor implementation details can have significant security implications.