## Angular HTTP Client XSRF Token Leakage Vulnerability Triggers Urgent Four-Version Security Patch
Google's Angular framework has released emergency security updates addressing a critical cross-site request forgery (XSRF) token leakage flaw in the HttpClient module. Tracked as CVE-2025-66035 (GHSA-58c5-g7wp-6w37), the vulnerability stems from how Angular's HTTP client handles protocol-relative URLs—web addresses that omit the http:// or https:// scheme prefix. The patching mechanism for XSRF tokens fails to properly validate requests when such URLs are used, potentially exposing authentication tokens to malicious extraction.

The vulnerability affects applications running @angular/common versions 15.0.2 through 19.2.15, prompting the framework's automated dependency management tool to flag a significant four-major-version jump: from ^15.0.2 to ^19.2.16. This wide version gap indicates the flaw likely existed undetected for multiple release cycles, raising questions about the attack surface exposed to threat actors who may have identified the XSRF bypass before public disclosure.

Protocol-relative URLs remain common in legacy codebases, CDN configurations, and third-party integrations, meaning organizations may face non-trivial remediation efforts beyond simply updating dependencies. Developers using Angular's HttpClient with external APIs or microservices that employ this URL format should treat the update as critical priority. The vulnerability carries particular risk for applications handling sensitive operations—authentication flows, payment processing, or administrative functions—where XSRF token compromise could enable unauthorized state-changing requests on behalf of authenticated users.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: angular, xsrf, security-vulnerability, cve-2025-66035, http-client
- **Credibility**: unverified
- **Published**: 2026-05-03 07:54:08
- **ID**: 79091
- **URL**: https://whisperx.ai/en/intel/79091