CVE-2025-66035

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66035

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66035.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66035

Aliases

GHSA-58c5-g7wp-6w37

Downstream

UBUNTU-CVE-2025-66035

Published

2025-11-26T22:18:35.692Z

Modified

2025-12-05T10:22:36.739647Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs

Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Database specific

{
    "cwe_ids": [
        "CWE-201",
        "CWE-359"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66035.json"
}

References

Affected packages

Git / github.com/angular/angular

Affected ranges

Type

GIT

Repo

https://github.com/angular/angular

Events

Introduced

a0ee6bdfe4102357dd231bcf02f5ff4d44fb585c

Fixed

47a739611a4104c4757719bff45878aa93166bda

Database specific

{
    "versions": [
        {
            "introduced": "21.0.0-next.0"
        },
        {
            "fixed": "21.0.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/angular/angular

Events

Introduced

ab2ee22c3d1a80b7ffe2c74c988dbd2503305b70

Fixed

136e9232c4e7285e163b7683e8725a93ef8bd599

Database specific

{
    "versions": [
        {
            "introduced": "20.0.0-next.0"
        },
        {
            "fixed": "20.3.14"
        }
    ]
}

Type

GIT

Repo

https://github.com/angular/angular

Events

Introduced

Fixed

92db2bac88141b8b161d9de04944b64bf2ce6e13

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "19.2.16"
        }
    ]
}

Affected versions

10.*

10.0.0-next.0

10.0.0-next.1

10.0.0-next.2

10.0.0-next.3

10.0.0-next.4

10.0.0-next.5

10.0.0-next.6

10.0.0-next.7

10.0.0-next.8

10.0.0-next.9

10.0.0-rc.0

10.1.0-next.0

10.1.0-next.1

10.1.0-next.2

10.1.0-next.3

10.1.0-next.4

10.1.0-next.5

10.1.0-next.6

10.1.0-next.7

10.1.0-next.8

10.1.0-rc.0

11.*

11.0.0-next.0

11.0.0-next.1

11.0.0-next.2

11.0.0-next.3

11.0.0-next.4

11.0.0-next.5

11.0.0-next.6

11.1.0-next.0

11.1.0-next.1

11.1.0-next.2

11.1.0-next.3

11.1.0-next.4

12.*

12.0.0-next.0

12.0.0-next.1

12.0.0-next.2

12.0.0-next.3

12.0.0-next.4

12.0.0-next.5

12.0.0-next.6

12.0.0-next.7

12.0.0-next.8

12.1.0

12.1.0-next.2

12.1.0-next.3

12.1.0-next.4

12.1.0-next.5

12.1.0-next.6

12.2.0-next.0

12.2.0-next.1

12.2.0-next.2

12.2.0-next.3

13.*

13.0.0-next.0

13.0.0-next.1

13.0.0-next.10

13.0.0-next.11

13.0.0-next.12

13.0.0-next.13

13.0.0-next.14

13.0.0-next.2

13.0.0-next.3

13.0.0-next.4

13.0.0-next.5

13.0.0-next.6

13.0.0-next.7

13.0.0-next.8

13.0.0-next.9

13.1.0-next.0

13.1.0-next.1

13.1.0-next.2

13.1.0-next.3

13.2.0-next.0

13.2.0-next.1

13.2.0-next.2

14.*

14.0.0-next.0

14.0.0-next.1

14.0.0-next.10

14.0.0-next.11

14.0.0-next.12

14.0.0-next.13

14.0.0-next.14

14.0.0-next.15

14.0.0-next.2

14.0.0-next.3

14.0.0-next.4

14.0.0-next.5

14.0.0-next.6

14.0.0-next.7

14.0.0-next.8

14.0.0-next.9

14.1.0-next.0

14.1.0-next.1

14.1.0-next.2

14.1.0-next.3

14.1.0-next.4

14.2.0-next.0

14.2.0-next.1

15.*

15.0.0-next.0

15.0.0-next.1

15.0.0-next.2

15.0.0-next.3

15.0.0-next.4

15.0.0-next.5

15.1.0-next.0

15.1.0-next.1

15.1.0-next.2

15.1.0-next.3

15.2.0-next.0

15.2.0-next.1

15.2.0-next.2

15.2.0-next.3

15.2.0-next.4

16.*

16.0.0-next.0

16.0.0-next.1

16.0.0-next.2

16.0.0-next.3

16.0.0-next.4

16.0.0-next.5

16.0.0-next.6

16.1.0-next.0

16.1.0-next.1

16.1.0-next.2

16.1.0-next.3

16.2.0-next.0

16.2.0-next.1

16.2.0-next.2

16.2.0-next.3

16.2.0-next.4

17.*

17.0.0-next.0

17.0.0-next.1

17.0.0-next.2

17.0.0-next.3

17.0.0-next.4

17.0.0-next.5

17.0.0-next.6

17.0.0-next.7

17.1.0-next.0

17.1.0-next.1

17.1.0-next.2

17.1.0-next.3

17.1.0-next.4

17.1.0-next.5

17.2.0-next.0

17.2.0-next.1

17.3.0-next.0

17.3.0-next.1

18.*

18.0.0-next.0

18.0.0-next.1

18.0.0-next.2

18.0.0-next.3

18.0.0-next.4

18.0.0-next.5

18.1.0-next.0

18.1.0-next.1

18.1.0-next.2

18.1.0-next.3

18.1.0-next.4

18.2.0-next.0

18.2.0-next.1

18.2.0-next.2

18.2.0-next.3

18.2.0-next.4

19.*

19.0.0-next.0

19.0.0-next.1

19.0.0-next.10

19.0.0-next.2

19.0.0-next.3

19.0.0-next.4

19.0.0-next.5

19.0.0-next.6

19.0.0-next.7

19.0.0-next.8

19.0.0-next.9

19.1.0-next.0

19.1.0-next.1

19.1.0-next.2

19.1.0-next.3

19.1.0-next.4

19.2.0

19.2.0-next.0

19.2.0-next.1

19.2.0-next.2

19.2.0-next.3

19.2.0-rc.0

19.2.1

19.2.10

19.2.11

19.2.12

19.2.13

19.2.14

19.2.15

19.2.2

19.2.3

19.2.4

19.2.5

19.2.6

19.2.7

19.2.8

19.2.9

2.*

2.0.0

2.0.0-alpha.13

2.0.0-alpha.14

2.0.0-alpha.15

2.0.0-alpha.17

2.0.0-alpha.18

2.0.0-alpha.19

2.0.0-alpha.20

2.0.0-alpha.21

2.0.0-alpha.22

2.0.0-alpha.23

2.0.0-alpha.24

2.0.0-alpha.25

2.0.0-alpha.26

2.0.0-alpha.27

2.0.0-alpha.28

2.0.0-alpha.29

2.0.0-alpha.30

2.0.0-alpha.31

2.0.0-alpha.32

2.0.0-alpha.33

2.0.0-alpha.34

2.0.0-alpha.35

2.0.0-alpha.40

2.0.0-alpha.41

2.0.0-alpha.42

2.0.0-alpha.44

2.0.0-alpha.47

2.0.0-alpha.48

2.0.0-alpha.49

2.0.0-alpha.50

2.0.0-alpha.51

2.0.0-alpha.52

2.0.0-alpha.53

2.0.0-alpha.54

2.0.0-alpha.55

2.0.0-beta.0

2.0.0-beta.11

2.0.0-beta.12

2.0.0-beta.13

2.0.0-beta.14

2.0.0-beta.16

2.0.0-beta.17

2.0.0-beta.6

2.0.0-beta.7

2.0.0-beta.8

2.0.0-rc.0

2.0.0-rc.1

2.0.0-rc.2

2.0.0-rc.3

2.0.0-rc.4

2.0.0-rc.5

2.0.0-rc.6

2.0.0-rc.7

2.1.0

2.1.0-beta.0

2.1.0-rc.0

2.2.0

2.2.0-beta.0

2.2.0-beta.1

2.2.0-rc.0

2.3.0

2.3.0-beta.0

2.3.0-rc.0

2.4.0-marker

20.*

20.0.0-next.0

20.0.0-next.1

20.0.0-next.2

20.0.0-next.3

20.0.0-next.4

20.0.0-next.5

20.0.0-next.6

20.0.0-next.7

20.0.0-next.8

20.1.0-next.0

20.1.0-next.1

20.1.0-next.2

20.1.0-next.3

20.2.0

20.2.0-next.0

20.2.0-next.1

20.2.0-next.2

20.2.0-next.3

20.2.0-next.4

20.2.0-next.5

20.2.0-next.6

20.2.0-rc.0

20.2.0-rc.1

20.2.1

20.2.2

20.2.3

20.2.4

20.3.0

20.3.0-rc.0

20.3.1

20.3.10

20.3.11

20.3.12

20.3.13

20.3.2

20.3.3

20.3.4

20.3.5

20.3.6

20.3.7

20.3.8

20.3.9

21.*

21.0.0

21.0.0-next.0

21.0.0-next.1

21.0.0-next.10

21.0.0-next.2

21.0.0-next.3

21.0.0-next.4

21.0.0-next.5

21.0.0-next.6

21.0.0-next.7

21.0.0-next.8

21.0.0-next.9

21.0.0-rc.0

21.0.0-rc.1

21.0.0-rc.2

21.0.0-rc.3

4.*

4.0.0

4.0.0-beta.0

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-beta.5

4.0.0-beta.6

4.0.0-beta.7

4.0.0-beta.8

4.0.0-rc.1

4.0.0-rc.2

4.0.0-rc.3

4.0.0-rc.4

4.0.0-rc.5

4.0.0-rc.6

4.1.0

4.1.0-beta.0

4.1.0-beta.1

4.1.0-rc.0

4.2.0-beta.0

4.2.0-rc.0

4.2.0-rc.1

4.2.0-rc.2

4.2.1

4.3.0

4.3.0-beta.0

4.3.0-beta.1

4.3.0-rc.0

5.*

5.0.0-beta.0

5.0.0-beta.1

5.0.0-beta.2

5.0.0-beta.3

5.0.0-beta.4

5.0.0-beta.5

5.0.0-beta.6

5.0.0-beta.7

5.0.0-rc.0

5.0.0-rc.1

5.0.0-rc.2

5.0.0-rc.3

5.0.0-rc.4

5.1.0

5.1.0-beta.0

5.1.0-beta.1

5.1.0-beta.2

5.1.0-rc.0

5.1.0-rc.1

5.2.0

5.2.0-beta.0

5.2.0-beta.1

5.2.0-rc.0

6.*

6.0.0-beta.0

6.0.0-beta.1

6.0.0-beta.2

6.0.0-beta.3

6.0.0-beta.4

6.0.0-beta.6

6.0.0-beta.7

6.0.0-beta.8

6.0.0-rc.0

6.0.0-rc.1

6.0.0-rc.2

6.0.0-rc.3

6.0.0-rc.4

6.0.0-rc.5

6.1.0

6.1.0-beta.0

6.1.0-beta.1

6.1.0-beta.2

6.1.0-beta.3

6.1.0-rc.3

7.*

7.0.0-beta.0

7.0.0-beta.1

7.0.0-beta.2

7.0.0-beta.3

7.0.0-beta.4

7.0.0-beta.5

7.0.0-beta.6

7.0.0-beta.7

7.0.0-rc.0

7.0.0-rc.1

7.1.0

7.1.0-beta.0

7.1.0-beta.1

7.1.0-beta.2

7.1.0-rc.0

7.2.0

7.2.0-beta.1

7.2.0-beta.2

7.2.0-rc.0

8.*

8.0.0-beta.0

8.0.0-beta.1

8.0.0-beta.10

8.0.0-beta.11

8.0.0-beta.12

8.0.0-beta.13

8.0.0-beta.14

8.0.0-beta.2

8.0.0-beta.3

8.0.0-beta.4

8.0.0-beta.5

8.0.0-beta.6

8.0.0-beta.7

8.0.0-beta.8

8.0.0-beta.9

8.0.0-rc.0

8.1.0-beta.0

8.1.0-next.1

8.1.0-next.2

8.1.0-next.3

8.1.0-rc.0

8.2.0-next.0

8.2.0-next.1

8.2.0-next.2

9.*

9.0.0-next.0

9.0.0-next.1

9.0.0-next.10

9.0.0-next.11

9.0.0-next.12

9.0.0-next.13

9.0.0-next.14

9.0.0-next.15

9.0.0-next.2

9.0.0-next.3

9.0.0-next.4

9.0.0-next.5

9.0.0-next.6

9.0.0-next.7

9.0.0-next.8

9.0.0-next.9

9.0.0-rc.0

9.0.0-rc.1

9.1.0-next.0

9.1.0-next.1

9.1.0-next.2

9.1.0-next.4

9.1.0-next.5

9.1.0-rc.0

ngcontainer_0.*

ngcontainer_0.3.0

ngcontainer_0.3.1

ngcontainer_0.3.2

ngcontainer_0.3.3

ngcontainer_0.4.0

ngcontainer_0.5.0

Other

patch_sync

vsix-20.*

vsix-20.3.3

vsix-21.*

vsix-21.0.0

zone.*

zone.js-0.10.0

zone.js-0.10.1

zone.js-0.10.2

zone.js-0.10.3

zone.js-0.11.0

zone.js-0.11.2

zone.js-0.11.3

zone.js-0.11.4

zone.js-0.11.5

zone.js-0.11.6

zone.js-0.11.7

zone.js-0.11.8

zone.js-0.12.0

zone.js-0.13.0

zone.js-0.13.1

zone.js-0.13.2

zone.js-0.13.3

zone.js-0.14.0

zone.js-0.14.1

zone.js-0.14.10

zone.js-0.14.2

zone.js-0.14.3

zone.js-0.14.4

zone.js-0.14.5

zone.js-0.14.6

zone.js-0.14.7

zone.js-0.14.8

zone.js-0.15.0

zone.js-0.15.1

zone.js-0.9.2