Angular HTTP Client Vulnerability (CVE-2025-66035): XSRF Token Leakage via Protocol-Relative URLs

A critical security flaw in the Angular HTTP client exposes applications to cross-site request forgery (XSRF) attacks. The vulnerability, tracked as CVE-2025-66035 (GHSA-58c5-g7wp-6w37), allows attackers to bypass XSRF protections by exploiting how the client handles protocol-relative URLs. This can lead to the leakage of XSRF tokens, enabling unauthorized actions on behalf of authenticated users.

The vulnerability resides in the `@angular/common` package, a core component of the Angular framework used by millions of web applications. The issue was identified in versions prior to the patched release. The automated dependency update system, Renovate, flagged the issue, creating a pull request to upgrade from the vulnerable version 16.2.3 to the secure version 19.0.0. The update was marked with high confidence and is critical for maintaining application security.

This vulnerability places a vast ecosystem of Angular-based applications at immediate risk. Developers and organizations must urgently apply the patch to `@angular/common` v19.0.0 or later to mitigate the threat. Failure to update leaves applications susceptible to data theft, unauthorized transactions, and other malicious activities facilitated by XSRF token compromise. The automated closure of the related GitHub issue underscores the urgency of this mandatory security update.