AI Components & Features
Sample Applications
Knowledge Base
FAQ
Knowledge Base / Angular XSRF Token Leakage via Protocol-Relative URLs (66035)
New to Kendo UI for AngularStart a free 30-day trial

Angular XSRF Token Leakage via Protocol-Relative URLs (66035)

Updated on Dec 8, 2025

Environment

FrameworkAngular
Affected Dependency@angular/common

Description

Security Notification - December 2025 - CVE-2025-66035

  • Angular HttpClient in @angular/common (<=19.2.15)

What Are the Impacts

Angular's HttpClient has a vulnerability that can lead to the unauthorized disclosure of Cross-Site Request Forgery (XSRF) tokens to attacker-controlled domains. The vulnerability occurs when protocol-relative URLs (starting with //) are used in HTTP requests. These URLs are incorrectly treated as same-origin requests, causing Angular to automatically add the XSRF token to the X-XSRF-TOKEN header, which then leaks to the external domain.

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

For this vulnerability to be exploited, the following conditions must be met:

  • The victim's Angular application must have XSRF protection enabled.
  • The attacker must be able to make the application send a state-changing HTTP request (for example, POST) to a protocol-relative URL (for example, //attacker.com) that they control.

Issue

The vulnerability is classified as a Credential Leak by App Logic issue, which falls under the category of:

  • CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Solution

We strongly recommend updating the Angular version to at least v19.2.16 which address this issue. The update will ensure that your application is secure against this vulnerability.

Affected VersionsUpdate to
<= v19.2.15>= v19.2.16

To update your Angular version, follow the Angular update guide.

Angular v19.2.7 also fixes another security vulnerability. For more details, see Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes (66412).

External References

In this article
EnvironmentDescriptionWhat Are the ImpactsAttack PreconditionsIssueSolutionExternal References
Not finding the help you need?
Contact Support