GHSA-58C5-G7WP-6W37
Vulnerability from github – Published: 2025-11-26 23:18 – Updated: 2025-12-01 16:02
VLAI?
Summary
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
Details
The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.
Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.
Impact
The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.
Attack Preconditions
- The victim's Angular application must have XSRF protection enabled.
- The attacker must be able to make the application send a state-changing HTTP request (e.g.,
POST) to a protocol-relative URL (e.g.,//attacker.com) that they control.
Patches
- 19.2.16
- 20.3.14
- 21.0.1
Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@angular/common"
},
"ranges": [
{
"events": [
{
"introduced": "21.0.0-next.0"
},
{
"fixed": "21.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/common"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0-next.0"
},
{
"fixed": "20.3.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.2.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66035"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-26T23:18:50Z",
"nvd_published_at": "2025-11-26T23:15:49Z",
"severity": "HIGH"
},
"details": "The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain.\n\nAngular\u0027s HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header.\n\n### Impact\nThe token leakage completely bypasses Angular\u0027s built-in CSRF protection, allowing an attacker to capture the user\u0027s valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user\u0027s session.\n\n### Attack Preconditions\n1. The victim\u0027s Angular application must have **XSRF protection enabled**. \n2. The attacker must be able to make the application send a state-changing HTTP request (e.g., `POST`) to a **protocol-relative URL** (e.g., `//attacker.com`) that they control.\n\n### Patches\n- 19.2.16\n- 20.3.14\n- 21.0.1\n\n### Workarounds\nDevelopers should avoid using protocol-relative URLs (URLs starting with `//`) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single `/`) or fully qualified, trusted absolute URLs.",
"id": "GHSA-58c5-g7wp-6w37",
"modified": "2025-12-01T16:02:59Z",
"published": "2025-11-26T23:18:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66035"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/releases/tag/19.2.16"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/releases/tag/20.3.14"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/releases/tag/21.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…