Bug 2417389 (CVE-2025-66035)

Summary: CVE-2025-66035 angular: Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, amctagga, aoconnor, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, bniver, boliveir, brian.stansberry, darran.lofthouse, doconnor, dosoudil, eglynn, fjuma, flucifre, gmalinko, gmeno, gotiwari, gparvin, groman, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jgrulich, jhorak, jjoyce, jkoehler, jschluet, lchilton, lhh, lphiri, lsvaty, marcel.d.cornu, mbenjamin, mburns, mgarciac, mhackett, mosmerov, mposolda, msvehla, mvyas, nwallace, owatkins, pahickey, pdelbell, pesilva, pgrist, pjindal, pmackay, rhaigner, rmartinc, rojacob, rstancel, rstepani, sfeifer, smaestri, sostapov, ssilvert, sthorger, teagle, tom.jenkinson, tpopela, vereddy, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A logic error exists in Angular’s built-in XSRF protection causes the framework to misclassify protocol-relative URLs (i.e. URLs starting with “//”) as same-origin. As a result, the client automatically appends and sends the XSRF token in an X-XSRF-TOKEN header to the remote domain — potentially attacker-controlled — enabling unauthorized disclosure of the token and bypass of CSRF protection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2419553, 2419554, 2419555, 2419556, 2419557, 2419558, 2419559, 2419560, 2419561, 2419562, 2419563, 2419564, 2419565, 2419566, 2419567, 2419568, 2419569, 2419570, 2419571, 2419582, 2419584, 2419577, 2419578, 2419579, 2419580, 2419581, 2419583, 2419585    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-26 23:01:29 UTC 
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Comment 4 Marcel Cornu 2025-12-11 10:28:55 UTC 
This vulnerability is related to an Angular application located in the same Git repository as the pqos library and utilities. However, only the pqos library and utilities are included in the intel-cmt-cat Linux package, the Angular application is not included. So I believe this vulnerability does not affect the package.