CVE-2025-66035 Vulnerability In Common-13.3.11.tgz

by Alex Johnson 51 views

This article discusses a low-severity vulnerability, CVE-2025-66035, found in the common-13.3.11.tgz library, which is part of the Angular framework. This vulnerability, related to Cross-Site Request Forgery (XSRF) token leakage, has a CVSS score of 0.0. While the severity is low, understanding the details and potential impact is crucial for maintaining the security of your Angular applications. Let's delve into the specifics of this vulnerability, its implications, and the recommended steps for remediation.

Understanding the Vulnerability: CVE-2025-66035

At its core, CVE-2025-66035 is a Credential Leak vulnerability stemming from how Angular's HTTP client handles protocol-relative URLs. Angular's built-in XSRF protection mechanism is designed to prevent malicious websites from making unauthorized requests on behalf of a logged-in user. This mechanism typically checks if a request URL starts with a protocol (http:// or https://) to determine if it's a cross-origin request. However, when a URL starts with a protocol-relative URL (//), it's incorrectly treated as a same-origin request. This oversight leads to the XSRF token being automatically added to the X-XSRF-TOKEN header, even for requests to attacker-controlled domains.

This seemingly minor issue can have significant security implications. An attacker could potentially exploit this vulnerability to steal the XSRF token and use it to perform unauthorized actions on behalf of the user, such as changing passwords, making purchases, or accessing sensitive data. While the low CVSS score might suggest a minimal risk, the potential for exploitation warrants careful consideration and prompt action.

The vulnerability resides within the Angular common library, specifically version 13.3.11. This library provides commonly needed directives and services for Angular applications. The affected dependency file is located at /dgrv4_Gateway_serv/srcAngular/package.json, indicating that the application using this version of Angular is susceptible to the vulnerability. The dependency hierarchy clearly shows that common-13.3.11.tgz is the vulnerable library, making it a direct dependency of the application.

Technical Details and Impact

The technical specifics of CVE-2025-66035 revolve around Angular's handling of protocol-relative URLs in its HttpClient. These URLs, which start with //, are meant to automatically use the same protocol (HTTP or HTTPS) as the current page. However, the vulnerability arises because Angular's XSRF protection mechanism misinterprets these URLs as being same-origin, even if they point to a different domain. This leads to the XSRF token being included in the request, which can then be intercepted by an attacker.

The CVSS 3 score for this vulnerability is 0.0, indicating a low severity. This score is based on several factors, including:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

Despite the low score, it's crucial to understand that a CVSS score is just one aspect of assessing risk. The potential impact of this vulnerability could be significant, depending on the application and the sensitivity of the data it handles. If an attacker successfully steals the XSRF token, they could potentially perform any action that the user is authorized to perform, leading to data breaches, account compromise, or other security incidents.

Remediation and Mitigation Strategies

The recommended solution for CVE-2025-66035 is to upgrade your Angular version to one of the patched versions: 19.2.16, 20.3.14, or 21.0.1, or later. These versions include fixes that address the vulnerability by correctly handling protocol-relative URLs and ensuring that XSRF tokens are not leaked to unauthorized domains.

The suggested fix type is an upgrade, which involves replacing the vulnerable common-13.3.11.tgz library with a patched version. The release date for the fix is November 26, 2025, highlighting the importance of promptly applying the update. The fix resolution points to specific commits in the Angular repository on GitHub, providing further details on the implemented changes.

In addition to upgrading Angular, there's also a workaround that can be implemented to mitigate the vulnerability. This workaround involves avoiding the use of protocol-relative URLs in HttpClient requests. Instead, you should use either relative paths (starting with a single /) or fully qualified, trusted absolute URLs. This ensures that the XSRF protection mechanism correctly identifies cross-origin requests and prevents the token from being leaked.

Here's a breakdown of the remediation steps:

  1. Identify vulnerable applications: Determine which of your Angular applications are using version 13.3.11 of the @angular/common library.
  2. Upgrade Angular: Upgrade to a patched version (19.2.16, 20.3.14, 21.0.1, or later) by updating your package.json file and running npm install or yarn install.
  3. Verify the fix: After upgrading, thoroughly test your application to ensure that the vulnerability has been resolved and that no new issues have been introduced.
  4. Implement the workaround (if necessary): If upgrading is not immediately possible, implement the workaround by replacing protocol-relative URLs with relative paths or fully qualified URLs.
  5. Regularly update dependencies: To prevent future vulnerabilities, make it a practice to regularly update your Angular and other dependencies to the latest versions.

Conclusion

While CVE-2025-66035 is a low-severity vulnerability, it's crucial to address it promptly to prevent potential security risks. By upgrading to a patched version of Angular or implementing the recommended workaround, you can effectively mitigate the vulnerability and protect your applications from potential attacks. Remember that security is an ongoing process, and regularly updating your dependencies and staying informed about potential vulnerabilities is essential for maintaining a secure application.

For further information on Open Source Security and related topics, you can explore resources like the Mend Vulnerability Database.