Angular up to 19.2.15/20.3.13/21.0.0 insertion of sensitive information into sent data

Summaryinfo

A vulnerability was found in Angular up to 19.2.15/20.3.13/21.0.0 and classified as problematic. The affected element is an unknown function. Such manipulation leads to insertion of sensitive information into sent data. This vulnerability is referenced as CVE-2025-66035. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Angular up to 19.2.15/20.3.13/21.0.0 and classified as problematic. Affected by this issue is an unknown code. The manipulation with an unknown input leads to a insertion of sensitive information into sent data vulnerability. Using CWE to declare the problem leads to CWE-201. The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Impacted is confidentiality. CVE summarizes:

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2025-66035 since 11/21/2025. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability scanner Nessus provides a plugin with the ID 276979 (Linux Distros Unpatched Vulnerability : CVE-2025-66035), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 19.2.16, 20.3.14 or 21.0.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 0276479e7d0e280e0f8d26fa567d3b7aa97a516f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (276979) and CERT Bund (WID-SEC-2025-2689). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• Open Source Angular

Productinfo

Type

• JavaScript Library

Name

• Angular

Version

• 19.2.0
• 19.2.1
• 19.2.2
• 19.2.3
• 19.2.4
• 19.2.5
• 19.2.6
• 19.2.7
• 19.2.8
• 19.2.9
• 19.2.10
• 19.2.11
• 19.2.12
• 19.2.13
• 19.2.14
• 19.2.15
• 20.3.0
• 20.3.1
• 20.3.2
• 20.3.3
• 20.3.4
• 20.3.5
• 20.3.6
• 20.3.7
• 20.3.8
• 20.3.9
• 20.3.10
• 20.3.11
• 20.3.12
• 20.3.13
• 21.0

License

• open-source

Website

• Product: https://github.com/angular/angular/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion