CVE-2025-66035 Overview
CVE-2025-66035 is a credential leak vulnerability affecting Angular's HttpClient XSRF protection mechanism. The vulnerability allows unauthorized disclosure of Cross-Site Request Forgery (XSRF) tokens to attacker-controlled domains through improper handling of protocol-relative URLs.
Angular's HttpClient includes a built-in XSRF protection mechanism that determines whether a request is cross-origin by checking if the URL starts with a protocol (http:// or https://). However, when a URL begins with a protocol-relative format (//), the validation logic incorrectly treats it as a same-origin request. This causes the XSRF token to be automatically appended to the X-XSRF-TOKEN header and transmitted to potentially malicious external domains.
Critical Impact
Attackers can exploit this vulnerability to steal XSRF tokens from Angular applications, enabling Cross-Site Request Forgery attacks against authenticated users by intercepting sensitive security tokens intended for same-origin requests.
Affected Products
- Angular versions prior to 19.2.16
- Angular versions prior to 20.3.14
- Angular versions prior to 21.0.1
Discovery Timeline
- November 26, 2025 - CVE CVE-2025-66035 published to NVD
- December 1, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66035
Vulnerability Analysis
This vulnerability is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). The flaw exists in Angular's xsrfInterceptorFn function within the HTTP client module. The core issue stems from an incomplete URL validation check that fails to account for protocol-relative URLs—a legacy URL format that inherits the protocol scheme from the current page.
When an Angular application makes an HTTP request using HttpClient, the XSRF interceptor is supposed to prevent tokens from being sent to cross-origin destinations. The original implementation only checked for explicit http:// or https:// prefixes to identify absolute URLs. Protocol-relative URLs (beginning with //) bypass this check entirely, causing the interceptor to misidentify them as relative same-origin paths and attach the XSRF token.
An attacker who can influence the request URL—either through user input, open redirects, or other injection vectors—can craft a protocol-relative URL pointing to their controlled server. When the Angular application processes this URL, it will inadvertently transmit the XSRF token to the attacker's domain.
Root Cause
The root cause is insufficient URL validation in the xsrfInterceptorFn function located in packages/common/http/src/xsrf.ts. The original implementation used a simple string comparison to detect absolute URLs by checking for http:// or https:// prefixes. This approach failed to recognize that protocol-relative URLs (//example.com) also represent absolute cross-origin destinations, as browsers resolve them using the current page's protocol scheme.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must identify an Angular application that:
- Uses HttpClient with default XSRF protection enabled
- Allows user-controlled or externally-influenced URL parameters in HTTP requests
Once these conditions are met, the attacker can supply a protocol-relative URL (e.g., //attacker.com/endpoint) that the application will treat as same-origin, resulting in the XSRF token being transmitted to the attacker's server in the X-XSRF-TOKEN header.
// Security patch introducing ABSOLUTE_URL_REGEX
// Source: https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
}
}
+/**
+ * Regex to match absolute URLs, including protocol-relative URLs.
+ */
+const ABSOLUTE_URL_REGEX = /^(?:https?:)?\/\//i;
export function xsrfInterceptorFn(
req: HttpRequest<unknown>,
next: HttpHandlerFn,
): Observable<HttpEvent<unknown>> {
- const lcUrl = req.url.toLowerCase();
// Skip both non-mutating requests and absolute URLs.
// Non-mutating requests don't require a token, and absolute URLs require special handling
// anyway as the cookie set
The patch introduces a new regex pattern ABSOLUTE_URL_REGEX that correctly identifies both explicit protocol URLs (https:// or http://) and protocol-relative URLs (//) as absolute URLs, preventing token attachment for cross-origin requests.
Detection Methods for CVE-2025-66035
Indicators of Compromise
- Outbound HTTP requests containing X-XSRF-TOKEN headers directed to external or unexpected domains
- Network traffic showing XSRF tokens being transmitted to third-party endpoints
- Application logs indicating HttpClient requests with protocol-relative URLs (//) in the request path
- Unusual authentication failures or session anomalies following XSRF token compromise
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block outbound requests containing XSRF tokens to non-whitelisted domains
- Deploy network monitoring to identify HTTP requests with X-XSRF-TOKEN headers being sent to external IP addresses or domains
- Audit Angular application source code for usage of protocol-relative URLs in HttpClient requests
- Review browser developer tools network tabs during application testing to verify XSRF tokens are not leaked
Monitoring Recommendations
- Configure SIEM alerting for anomalous patterns of X-XSRF-TOKEN header transmission to external destinations
- Implement Content Security Policy (CSP) headers to restrict request destinations and report violations
- Monitor application dependency versions to ensure Angular is updated to patched releases
- Enable verbose logging for HttpClient requests to capture URL patterns and token attachment behavior
How to Mitigate CVE-2025-66035
Immediate Actions Required
- Upgrade Angular to version 19.2.16, 20.3.14, or 21.0.1 or later immediately
- Audit all HttpClient request URLs in your application codebase for protocol-relative URL patterns
- Review and sanitize any user-controlled input that influences HTTP request URLs
- Implement input validation to reject or transform protocol-relative URLs before passing them to HttpClient
Patch Information
Angular has released security patches across three version branches to address this vulnerability. The fix introduces a new regex pattern (ABSOLUTE_URL_REGEX) that correctly identifies protocol-relative URLs as absolute cross-origin URLs, preventing XSRF token attachment.
Patched versions are available:
For complete technical details, refer to GitHub Security Advisory GHSA-58c5-g7wp-6w37.
Workarounds
- Avoid using protocol-relative URLs (URLs starting with //) in all HttpClient requests
- Use only relative paths (starting with a single /) for same-origin API calls
- Use fully qualified absolute URLs with explicit protocols (https://) for trusted cross-origin requests
- Implement URL validation middleware to detect and reject protocol-relative URL patterns before they reach HttpClient
# Configuration example
# Search for protocol-relative URLs in your Angular codebase
grep -rn "http\." --include="*.ts" | grep "\/\/" | grep -v "http://" | grep -v "https://"
# Example of safe URL patterns in TypeScript
# UNSAFE: const url = "//api.example.com/data"
# SAFE: const url = "/api/data"
# SAFE: const url = "https://api.example.com/data"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
