Vulnerable Library - common-15.2.2.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-66035
Vulnerable Library - common-15.2.2.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json
Dependency Hierarchy:
- ❌ common-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Publish Date: 2025-11-26
URL: CVE-2025-66035
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-26
Fix Resolution: https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16
Step up your Open Source Security Game with Mend here
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - common-15.2.2.tgz
Angular - commonly needed directives and services
Library home page: https://registry.npmjs.org/@angular/common/-/common-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/common/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Publish Date: 2025-11-26
URL: CVE-2025-66035
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-26
Fix Resolution: https://github.com/angular/angular.git - 20.3.14,https://github.com/angular/angular.git - 19.2.16
Step up your Open Source Security Game with Mend here