A serious flaw in Angular’s HTTP Client exposes users’ XSRF tokens to attacker-controlled sites, enabling CSRF attacks that bypass built-in protections.
Tracked as CVE-2025-66035 with a CVSS score of 7.5 (High severity), this issue affects the @angular/standard package.
It stems from the mishandling of protocol-relative URLs such as “//attacker.com”. An Angular team member, alan-agius4, disclosed it last week via the GitHub advisory GHSA-58c5-g7wp-6w37.
Angular’s HttpClient adds XSRF tokens to headers for same-origin requests to prevent cross-site request forgery, which attackers exploit to trick browsers into performing unwanted actions.
The code checks whether a URL starts with “http://” or “https://” to flag cross-origin traffic; otherwise, it assumes same-origin and attaches the token via the X-XSRF-TOKEN header.
Protocol-relative URLs (starting with “//”) bypass this logic, so apps send valid session tokens to malicious domains during state-changing requests such as POST or PUT.
Attackers need two conditions: the app must enable XSRF protection (which is the default in Angular), and developers must use protocol-relative URLs for backend calls.
Once leaked, the token lets foes forge requests, such as altering user data, processing fake transactions, or changing account settings in the victim’s session.
No direct cookie theft occurs, but the impact rivals that of session hijacking, since tokens validate actions without requiring full auth cookies.
This credential leak (CWE-201) affects apps in finance, e-commerce, or any with sensitive POST operations.
Browsers resolve “//evil.com” based on the current page’s protocol, but Angular skips origin checks, leaking tokens unthinkingly.
| Versions Affected | Patched Versions |
| =21.0.0-next.0 < 21.0.1 | 21.0.1 |
| =20.0.0-next.0 < 20.3.14 | 20.3.14 |
| =19.0.0-next.0 < 19.2.16 | 19.2.16 |
| <=18.2.14 | None |
Upgrade immediately to patched releases: 21.0.1, 20.3.14, or 19.2.16. As a workaround, ban protocol-relative URLs use root-relative paths (“/api/endpoint”) or complete HTTPS absolute URLs for all HttpClient calls.
Scan codebases for “//” in requests and audit third-party libraries that rely on Angular HttpClient.
Developers should test apps with authenticated sessions to confirm there are no leaks. This fix restores proper origin detection, ensuring tokens stay server-side only.
With millions of Angular sites live, swift patching prevents widespread CSRF exploits.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…