Vulnerable Library - common-11.2.7.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-11.2.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-66035
Vulnerable Library - common-11.2.7.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-11.2.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ common-11.2.7.tgz (Vulnerable Library)
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
rxzu-0.0.1/packages/angular-storybook/stories/themes/vonage-studio/vonage-studio.module.ts (Application)
-> ❌ @angular/common-11.2.7/bundles/common.umd.js (Vulnerable Component)
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Publish Date: 2025-11-26
URL: CVE-2025-66035
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-26
Fix Resolution: https://github.com/angular/angular.git - 19.2.16,https://github.com/angular/angular.git - 20.3.14
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-11.2.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - common-11.2.7.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-11.2.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Publish Date: 2025-11-26
URL: CVE-2025-66035
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-26
Fix Resolution: https://github.com/angular/angular.git - 19.2.16,https://github.com/angular/angular.git - 20.3.14
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules