XSRF Token Leakage in Angular HTTP Clients by Google
CVE-2025-66035

7.7HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
26 November 2025

What is CVE-2025-66035?

A vulnerability in Angular's HttpClient allows for the unauthorized disclosure of XSRF tokens via protocol-relative URLs. When a request is made using a URL that starts with '//' (protocol-relative), the XSRF protection mechanism incorrectly treats it as a same-origin request. This leads to the XSRF token being attached to outgoing requests to potentially malicious domains. To mitigate this risk, users should avoid protocol-relative URLs, using either hardcoded relative paths or fully qualified absolute URLs, thus ensuring better security practices.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

angular >= 21.0.0-next.0, < 21.0.1 < 21.0.0-next.0, 21.0.1

angular >= 20.0.0-next.0, < 20.3.14 < 20.0.0-next.0, 20.3.14

angular < 19.2.16 < 19.2.16

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/commit/0276479e7d0e280...
x_refsource_MISC
https://github.com/angular/angular/commit/05fe6686a97fa0b...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.