Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40angular/common@19.2.16
purl pkg:npm/%40angular/common@19.2.16
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-x8wa-kpm3-abh9 Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header. CVE-2025-66035
GHSA-58c5-g7wp-6w37

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:07:11.906841+00:00 GHSA Importer Fixing VCID-x8wa-kpm3-abh9 https://github.com/advisories/GHSA-58c5-g7wp-6w37 38.0.0
2026-04-01T12:56:28.096804+00:00 GithubOSV Importer Fixing VCID-x8wa-kpm3-abh9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-58c5-g7wp-6w37/GHSA-58c5-g7wp-6w37.json 38.0.0
2026-04-01T12:53:25.219140+00:00 GitLab Importer Fixing VCID-x8wa-kpm3-abh9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/common/CVE-2025-66035.yml 38.0.0