Insertion of Sensitive Information Into Sent Data Affecting @angular/common package, versions <19.2.16>=20.0.0-next.0 <20.3.14>=21.0.0-next.0 <21.0.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ANGULARCOMMON-14135651
- published27 Nov 2025
- disclosed26 Nov 2025
- creditAKileX
Introduced: 26 Nov 2025
NewCVE-2025-66035 (opens in a new tab)How to fix?
Upgrade @angular/common to version 19.2.16, 20.3.14, 21.0.1 or higher.
Overview
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the HttpClient which has a built-in XSRF protection mechanism. An attacker can obtain sensitive authentication tokens by crafting requests using protocol-relative URLs that cause the token to be sent to domains under the attacker's control.
Note: This is only exploitable if XSRF protection is enabled and the application allows requests to protocol-relative URLs.
Workaround
This vulnerability can be mitigated by avoiding the use of protocol-relative URLs (those starting with //) in requests and ensuring all backend communication URLs are either relative paths or fully qualified, trusted absolute URLs.