プラットフォーム
nodejs
コンポーネント
@angular/common
修正版
21.0.1
20.0.1
19.2.17
21.0.1
CVE-2025-66035 is a credential leak vulnerability discovered in Angular Common, specifically within its HttpClient module. This flaw allows an attacker to extract the Cross-Site Request Forgery (XSRF) token and potentially leverage it for malicious purposes. The vulnerability impacts versions of Angular Common prior to 21.0.1 and can be triggered by protocol-relative URLs. A fix is available in version 21.0.1.
The core of this vulnerability lies in how Angular’s HttpClient handles protocol-relative URLs (those starting with //). Instead of correctly identifying these as cross-origin requests, the HttpClient incorrectly treats them as same-origin. Consequently, the XSRF token, intended for protection against CSRF attacks, is automatically added to the X-XSRF-TOKEN header. An attacker can then intercept this token, potentially through network sniffing or by injecting malicious scripts into a compromised page, and use it to forge requests on behalf of the user, gaining unauthorized access to sensitive data or performing actions without their consent. This bypasses Angular's built-in XSRF protection mechanism entirely. The potential impact includes unauthorized data modification, account takeover, and other CSRF-related attacks.
CVE-2025-66035 was published on 2025-11-26. The vulnerability's impact is significant due to its ease of exploitation and the potential for widespread compromise, particularly in applications heavily reliant on Angular's HttpClient. There are currently no publicly available exploits or active campaigns targeting this vulnerability, but the simplicity of the attack vector suggests it could be rapidly exploited once a proof-of-concept is developed. The EPSS score is pending evaluation, but the potential for widespread impact warrants careful attention.
エクスプロイト状況
EPSS
0.07% (23% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-66035 is to upgrade to Angular Common version 21.0.1 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by carefully scrutinizing all HttpClient requests and ensuring that protocol-relative URLs are not used. While not a complete solution, this can reduce the attack surface. Additionally, implement strict Content Security Policy (CSP) rules to restrict the sources from which scripts can be loaded, further limiting the attacker's ability to inject malicious code. Monitor network traffic for unusual XSRF token leakage patterns. After upgrading, confirm the fix by testing HttpClient requests with protocol-relative URLs to ensure the XSRF token is no longer included in the X-XSRF-TOKEN header.
Actualice Angular a las versiones 19.2.16, 20.3.14 o 21.0.1, o superior. Como alternativa, evite el uso de URLs relativas al protocolo (URLs que comienzan con //) en las solicitudes HttpClient. Utilice rutas relativas (que comiencen con /) o URLs absolutas completas y confiables.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-66035 is a HIGH severity vulnerability in Angular Common affecting versions before 21.0.1. It allows unauthorized disclosure of the XSRF token via protocol-relative URLs, enabling CSRF attacks.
You are affected if you are using Angular Common versions prior to 21.0.1 and your application utilizes HttpClient with protocol-relative URLs.
Upgrade to Angular Common version 21.0.1 or later to resolve the vulnerability. As a temporary workaround, avoid using protocol-relative URLs in HttpClient requests.
Currently, there are no publicly known active exploits or campaigns targeting CVE-2025-66035, but the ease of exploitation suggests potential for future attacks.
Refer to the official Angular security advisories on the Angular website for detailed information and updates regarding CVE-2025-66035: [https://angular.io/security](https://angular.io/security)