Search for packages
| purl | pkg:npm/%40angular/common@21.0.0-next.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-x8wa-kpm3-abh9
Aliases: CVE-2025-66035 GHSA-58c5-g7wp-6w37 |
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-17T00:00:16.523669+00:00 | GitLab Importer | Affected by | VCID-x8wa-kpm3-abh9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/common/CVE-2025-66035.yml | 38.4.0 |
| 2026-04-12T01:23:02.645866+00:00 | GitLab Importer | Affected by | VCID-x8wa-kpm3-abh9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/common/CVE-2025-66035.yml | 38.3.0 |
| 2026-04-03T01:31:44.165880+00:00 | GitLab Importer | Affected by | VCID-x8wa-kpm3-abh9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@angular/common/CVE-2025-66035.yml | 38.1.0 |