Angular HTTP Client Security Flaw: XSRF Token Leakage via Protocol-Relative URLs (CVE-2025-66035)

A critical security vulnerability in the Angular framework's HTTP client has been publicly disclosed, exposing applications to cross-site request forgery (XSRF) attacks. The flaw, tracked as CVE-2025-66035 (GHSA-58c5-g7wp-6w37), resides in how the client handles protocol-relative URLs, potentially allowing attackers to bypass XSRF protections and leak security tokens.

The vulnerability specifically affects the `@angular/common` package, a core library for building Angular applications. The issue stems from the HTTP client's failure to properly validate or restrict requests made to URLs beginning with `//`. This oversight can be exploited to send requests to unintended domains, carrying the application's XSRF tokens with them. The risk is particularly acute for applications that rely on Angular's built-in XSRF protection mechanisms, as the flaw directly undermines this security layer.

The disclosure has triggered immediate action in the developer ecosystem, with automated dependency management tools like RenovateBot flagging the issue and creating pull requests to update from vulnerable versions (e.g., v14.2.3) to the patched version (v19.0.0+). This highlights a significant version gap for many projects, indicating a widespread need for urgent updates. The flaw places countless web applications at risk until the patch is applied, underscoring the persistent security challenges in maintaining complex software dependencies.