A critical security vulnerability has been discovered in the Angular framework that could allow attackers to steal sensitive user security tokens.
The vulnerability, tracked as CVE-2025-66035, affects the Angular HttpClient and involves the accidental leakage of Cross-Site Request Forgery (XSRF) tokens.
Angular applications use a built-in protection mechanism to prevent Cross-Site Request Forgery (CSRF) attacks.
Angular HTTP Client Vulnerability
This system works by assigning a secret “token” to a user’s session. Whenever the application sends a request to the server, it includes this token to prove the request is legitimate.
The flaw lies in Angular’s determination of whether a request is safe. The system checks destination URLs to determine whether to attach this secret token.
Unfortunately, the logic incorrectly identified URLs starting with // (protocol-relative URLs) as “same-origin” or local requests.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-66035 |
| Vulnerability Type | Credential Leak / XSRF Token Exposure |
| CVSS Score | 7.5 |
| Attack Vector | Network |
| CWE Identifiers | CWE-201 (Insertion of Sensitive Information Into Sent Data), CWE-359 (Exposure of Private Personal Information) |
| Impact | Allows attackers to capture XSRF tokens and bypass CSRF protections to perform unauthorized actions on behalf of victims |
Suppose a developer inadvertently uses a protocol-relative URL (e.g., //attacker.com) in an HTTP request. In that case, Angular mistakenly treats it as a valid URL and sends the user’s secret XSRF token to that external domain.
Suppose an attacker successfully tricks the application into sending a request to a domain they control. In that case, they can capture the user’s valid XSRF token.
Cvn With this stolen key, the attacker can bypass CSRF protections entirely. This allows them to perform unauthorized actions on the victim’s behalf, such as changing account settings or submitting fraudulent transactions.
The vulnerability affects multiple versions of the framework. The following table outlines the affected versions and the required updates.
Development teams using Angular should upgrade to the patched versions immediately to ensure their applications are secure.
If an immediate upgrade is not possible, a workaround is available. Developers must ensure their code avoids using protocol-relative URLs (starting with //).
Instead, all backend requests should use relative paths (starting with /) or fully qualified absolute URLs (starting with https://).
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
