A vital safety vulnerability has been found within the Angular framework that might enable attackers to steal delicate person safety tokens.
The vulnerability, tracked as CVE-2025-66035, impacts the Angular HttpClient and includes the unintentional leakage of Cross-Web site Request Forgery (XSRF) tokens.
Angular functions use a built-in safety mechanism to stop Cross-Web site Request Forgery (CSRF) assaults.
Angular HTTP Consumer Vulnerability
This technique works by assigning a secret “token” to a person’s session. At any time when the appliance sends a request to the server, it consists of this token to show the request is official.
The flaw lies in Angular’s dedication of whether or not a request is secure. The system checks vacation spot URLs to find out whether or not to connect this secret token.
Sadly, the logic incorrectly recognized URLs beginning with // (protocol-relative URLs) as “same-origin” or native requests.
FieldValueCVE IDCVE-2025-66035Vulnerability TypeCredential Leak / XSRF Token ExposureCVSS Score7.5 Assault VectorNetworkCWE IdentifiersCWE-201 (Insertion of Delicate Data Into Despatched Knowledge), CWE-359 (Publicity of Personal Private Data)ImpactAllows attackers to seize XSRF tokens and bypass CSRF protections to carry out unauthorized actions on behalf of victims
Suppose a developer inadvertently makes use of a protocol-relative URL (e.g., //attacker.com) in an HTTP request. In that case, Angular mistakenly treats it as a legitimate URL and sends the person’s secret XSRF token to that exterior area.
Suppose an attacker efficiently methods the appliance into sending a request to a website they management. In that case, they’ll seize the person’s legitimate XSRF token.
Cvn With this stolen key, the attacker can bypass CSRF protections solely. This permits them to carry out unauthorized actions on the sufferer’s behalf, resembling altering account settings or submitting fraudulent transactions.
The vulnerability impacts a number of variations of the framework. The next desk outlines the affected variations and the required updates.
Growth groups utilizing Angular ought to improve to the patched variations instantly to make sure their functions are safe.
If an instantaneous improve shouldn’t be attainable, a workaround is accessible. Builders should guarantee their code avoids utilizing protocol-relative URLs (beginning with //).
As a substitute, all backend requests ought to use relative paths (beginning with /) or totally certified absolute URLs (beginning with
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
