Angular HTTP Client Vulnerability Exposes XSRF Token to an Attacker-Controlled Domain

Posted on By CWS

A vital safety vulnerability has been found within the Angular framework that might enable attackers to steal delicate person safety tokens.

The vulnerability, tracked as CVE-2025-66035, impacts the Angular HttpClient and includes the unintentional leakage of Cross-Web site Request Forgery (XSRF) tokens.

Angular functions use a built-in safety mechanism to stop Cross-Web site Request Forgery (CSRF) assaults.

Angular HTTP Consumer Vulnerability

This technique works by assigning a secret “token” to a person’s session. At any time when the appliance sends a request to the server, it consists of this token to show the request is official.

The flaw lies in Angular’s dedication of whether or not a request is secure. The system checks vacation spot URLs to find out whether or not to connect this secret token.

Sadly, the logic incorrectly recognized URLs beginning with // (protocol-relative URLs) as “same-origin” or native requests.

FieldValueCVE IDCVE-2025-66035Vulnerability TypeCredential Leak / XSRF Token ExposureCVSS Score7.5 Assault VectorNetworkCWE IdentifiersCWE-201 (Insertion of Delicate Data Into Despatched Knowledge), CWE-359 (Publicity of Personal Private Data)ImpactAllows attackers to seize XSRF tokens and bypass CSRF protections to carry out unauthorized actions on behalf of victims

Suppose a developer inadvertently makes use of a protocol-relative URL (e.g., //attacker.com) in an HTTP request. In that case, Angular mistakenly treats it as a legitimate URL and sends the person’s secret XSRF token to that exterior area.

Suppose an attacker efficiently methods the appliance into sending a request to a website they management. In that case, they’ll seize the person’s legitimate XSRF token.

Cvn With this stolen key, the attacker can bypass CSRF protections solely. This permits them to carry out unauthorized actions on the sufferer’s behalf, resembling altering account settings or submitting fraudulent transactions.

The vulnerability impacts a number of variations of the framework. The next desk outlines the affected variations and the required updates.

Growth groups utilizing Angular ought to improve to the patched variations instantly to make sure their functions are safe.

If an instantaneous improve shouldn’t be attainable, a workaround is accessible. Builders should guarantee their code avoids utilizing protocol-relative URLs (beginning with //).

As a substitute, all backend requests ought to use relative paths (beginning with /) or totally certified absolute URLs (beginning with 

Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Russian Hackers Exploiting 7-Year-Old Cisco Vulnerability to Collect Configs from Industrial Systems Cyber Security News
Threat Actors Using Fake Travel Websites to Infect Users’ PCs with XWorm Malware Cyber Security News
Threat Actors Exploiting SonicWall Firewalls to Deploy Akira Ransomware Using Malicious Logins Cyber Security News
Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users Cyber Security News
New Frontiers In Identity-Based Access Control Cyber Security News
Best Network Security Solutions for CSO Cyber Security News