CVE-2025-66035

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.16 Angular versions prior to 20.3.14 Angular versions prior to 21.0.1

Description Angular’s HttpClient has a built-in Cross-Site Request Forgery (XSRF) protection mechanism. When handling requests with protocol-relative URLs (URLs starting with '//'), the system incorrectly treats them as same-origin requests. This results in the automatic addition of the XSRF token to the X-XSRF-TOKEN header, leading to unauthorized disclosure of the token to an attacker-controlled domain. This is a credential leak caused by application logic.

Recommendations Angular versions prior to 19.2.16: Update to version 19.2.16 or later. Angular versions prior to 20.3.14: Update to version 20.3.14 or later. Angular versions prior to 21.0.1: Update to version 21.0.1 or later. Avoid using protocol-relative URLs (URLs starting with '//') in HttpClient requests. Use hardcoded relative paths (starting with a single '/') or fully qualified, trusted absolute URLs for all backend communication.