By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-66035

Information Exposure
Affects
Angular
in
Angular
No items found.
Versions
>=21.0.0-next.0 <21.0.1, >=20.0.0-next.0 <20.3.14, >=19.0.0-next.0 <19.2.16, <=18.2.14
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A vulnerability (CVE-2025-66035) has been identified in Angular’s HttpClient XSRF protection mechanism. Angular includes built-in safeguards that automatically attach an XSRF token to same-origin HTTP requests, preventing unauthorized cross-site actions. However, HttpClient’s origin-checking logic incorrectly treated protocol-relative URLs as same-origin. As a result, Angular would automatically attach the user’s XSRF token to requests targeting attacker-controlled domains that used this syntax.

This kind of unintended leakage of sensitive session information maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where an application inadvertently reveals data that can be used to compromise security. Because the XSRF token is exposed through a misclassified protocol-relative request, the attacker can then use that leaked token to perform authenticated CSRF actions. This aligns with CWE-352 (Cross-Site Request Forgery), since the captured token enables unauthorized state-changing requests to be executed on behalf of the victim.

Patched releases address the issue by enforcing strict origin validation, ensuring that protocol-relative URLs are always treated as cross-origin and never receive Angular’s XSRF token.

Details

Module Info

Vulnerability Info

This high-severity vulnerability affects Angular applications that rely on the built-in XSRF protection provided by the HttpClient module in @angular/common. Angular’s XSRF interceptor is designed to automatically append a valid XSRF token to same-origin HTTP requests, helping defend against Cross-Site Request Forgery (CSRF) attacks. However, due to a flaw in the interceptor’s origin-checking logic, protocol-relative URLs (URLs beginning with //) were incorrectly classified as same-origin.

When an application issues a request to a protocol-relative URL under attacker influence, Angular automatically includes the X-XSRF-TOKEN header, exposing the user’s valid XSRF token to a domain controlled by the attacker. With this token, the attacker can perform authenticated CSRF actions on behalf of the victim, bypassing one of Angular’s core security safeguards.

Per OWASP, this vulnerability falls under Information Exposure and Cross-Site Request Forgery categories, where sensitive tokens or credentials are unintentionally disclosed, enabling unauthorized state-changing actions. Any application using Angular’s XSRF protection mechanism and sending requests using protocol-relative URLs is at risk.

Patched versions correct the origin-detection logic to ensure that protocol-relative URLs are always treated as cross-origin, preventing Angular from attaching XSRF tokens to these requests.

Mitigation

Users of affected Angular packages should apply one of the following mitigations:

  • Upgrade to a patched version of the @angular/common package.
  • Leverage commercial support — HeroDevs provides security support for Angular versions 4–18. 

Credits

  • AKiileX (Finder)

Pink arrow
Pink arrow
CVE-2021-4231
CVE-2025-59052
CVE-2025-66035
CVE-2025-66412
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-66035
PROJECT Affected
Angular
Versions Affected
>=21.0.0-next.0 <21.0.1, >=20.0.0-next.0 <20.3.14, >=19.0.0-next.0 <19.2.16, <=18.2.14
Published date
December 2, 2025
≈ Fix date
December 1, 2025
Fixed in
NES for Angular
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Information Exposure
Sign up for the latest vulnerability alerts fixed in
NES for Angular
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.