CVE-2025-66035 is a high-severity vulnerability affecting Angular. This vulnerability allows unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token due to a flaw in the Angular HttpClient's handling of protocol-relative URLs. Specifically, prior to versions 19.2.16, 20.3.14, and 21.0.1, the Angular framework incorrectly treated protocol-relative URLs as same-origin requests. As a result, the XSRF token could potentially be leaked to an attacker-controlled domain. Organizations using affected versions of Angular must immediately prioritize remediation efforts.
The vulnerability has a CVSS score of 7.7, indicating a high severity level, which means it poses a significant risk to organizations. The urgency for defenders is critical, as the exploitation of this vulnerability could lead to unauthorized access to sensitive data. Although there are currently no confirmed public exploits available, the nature of the vulnerability warrants immediate attention to prevent potential attacks.
Organizations should prioritize patching immediately. The issue has been addressed in versions 19.2.16, 20.3.14, and 21.0.1. A workaround is to avoid using protocol-relative URLs in HttpClient requests and instead use fully qualified URLs or relative paths.
In summary, CVE-2025-66035 presents a high-level risk due to its potential for XSRF token leakage, underscoring the importance of timely updates and secure coding practices.
Vulnerability Details
CVE-2025-66035 is classified as a credential leak vulnerability due to application logic errors in Angular's HttpClient. The vulnerability is categorized under CWE-201 (Missing Authentication) and CWE-359 (Exposure of Private Information). This issue affects all versions of Angular prior to the aforementioned patched versions.
The vulnerability was published on November 26, 2025, and affects the Angular framework utilized for building web applications with TypeScript and JavaScript. The lack of proper handling for protocol-relative URLs allows attackers to inadvertently receive sensitive tokens intended for same-origin requests.
Technical Analysis
The root cause of CVE-2025-66035 stems from the Angular HttpClient's mechanism for handling XSRF tokens. The HttpClient is designed to protect against XSRF attacks by adding tokens to requests when the request URL is identified as same-origin. However, when encountering a protocol-relative URL (starting with //), the framework incorrectly interprets it as a same-origin request, leading to automatic inclusion of the XSRF token in the request headers.
This vulnerability is classified as having a low attack complexity since it requires no special privileges or user interactions. The attack vector is network-based, meaning that an attacker can exploit the vulnerability remotely without the need for physical access to the system.
The confidentiality impact is high, as sensitive tokens may be disclosed, while integrity and availability impacts are assessed as none. Organizations should be aware of the potential for unauthorized access to sensitive data if the vulnerability is not addressed.
Risk & Impact Analysis
The real-world deployment risk associated with CVE-2025-66035 is significant. Organizations utilizing Angular for web application development must understand the implications of XSRF token leakage. The potential blast radius could include any user data or session tokens that are exposed to attackers, leading to unauthorized actions within the application.
This vulnerability matters to organizations because it opens avenues for attackers to perform unauthorized actions, leading to potential data breaches and loss of trust from users. The urgency assessment is high due to the CVSS score of 7.7, which indicates that organizations must act swiftly to mitigate this risk.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The affected versions of Angular include all versions prior to 19.2.16, 20.3.14, and 21.0.1. Organizations should ensure they update to these patched versions to mitigate the risk.
Mitigation & Remediation
Organizations should prioritize patching to versions 19.2.16, 20.3.14, or 21.0.1 to mitigate this vulnerability. If immediate patching is not feasible, a workaround involves avoiding protocol-relative URLs in HttpClient requests and instead using hardcoded relative paths or fully qualified trusted absolute URLs.
For further information on effective security practices, organizations may reference this guide on application security assessment to ensure all vulnerabilities are addressed.
Detection Guidance
To detect potential exploitation of CVE-2025-66035, organizations should monitor application logs for unusual requests that include XSRF tokens. Additionally, network signatures should be established to identify traffic patterns indicative of this vulnerability being exploited.
Behavioral anomalies related to unexpected requests or responses should also be tracked to catch any exploitation attempts in real-time.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2025-66035 lies in its exposure of critical security flaws in widely used frameworks like Angular. As web applications continue to evolve, the importance of robust security measures cannot be overstated.
Organizations must learn from this vulnerability to enhance their security posture, particularly in ensuring that application frameworks handle sensitive data appropriately. For further insights on vulnerability management, organizations can explore best practices in vulnerability management and invest in comprehensive penetration testing methodologies to identify and mitigate similar vulnerabilities in the future.
Moreover, organizations should consider adopting proactive measures to fortify their defenses against emerging threats and vulnerabilities.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)